Introduction
The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.
Funding and Support
The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
MISP galaxy
360.net Threat Actors
Known or estimated adversary groups as identified by 360.net..
| 360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
360.net
CIA - APT-C-39
APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击
The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"
CIA - APT-C-39 is also known as:
Links |
海莲花 - APT-C-00
海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。
The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"
海莲花 - APT-C-00 is also known as:
-
OceanLotus
Links |
摩诃草 - APT-C-09
摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。
The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"
摩诃草 - APT-C-09 is also known as:
-
HangOver
-
VICEROY TIGER
-
The Dropping Elephant
-
Patchwork
Links |
黄金鼠 - APT-C-27
从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"
黄金鼠 - APT-C-27 is also known as:
Links |
Lazarus - APT-C-26
Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。
The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"
Lazarus - APT-C-26 is also known as:
-
APT38
Links |
黄金雕 - APT-C-34
黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。
The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"
黄金雕 - APT-C-34 is also known as:
Links |
盲眼鹰 - APT-C-36
从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。
The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"
盲眼鹰 - APT-C-36 is also known as:
Links |
毒针 - APT-C-31
2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。
The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"
毒针 - APT-C-31 is also known as:
Links |
ArmaRat - APT-C-33
2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。
The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"
ArmaRat - APT-C-33 is also known as:
Links |
军刀狮 - APT-C-38
从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。
The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"
军刀狮 - APT-C-38 is also known as:
Links |
拍拍熊 - APT-C-37
拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。
The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"
拍拍熊 - APT-C-37 is also known as:
Links |
人面狮 - APT-C-15
人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。
The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"
人面狮 - APT-C-15 is also known as:
Links |
美人鱼 - APT-C-07
美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。
The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"
美人鱼 - APT-C-07 is also known as:
Links |
双尾蝎 - APT-C-23
2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"
双尾蝎 - APT-C-23 is also known as:
Links |
蓝宝菇 - APT-C-12
从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。
The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"
蓝宝菇 - APT-C-12 is also known as:
-
核危机行动(Operation NuclearCrisis)
Links |
毒云藤 - APT-C-01
APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。
The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"
毒云藤 - APT-C-01 is also known as:
-
穷奇
-
白海豚
-
绿斑
Links |
Darkhotel - APT-C-06
Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。
The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"
Darkhotel - APT-C-06 is also known as:
-
Luder
-
Karba
-
Tapaoux
-
Dubnium
-
SIG25
Links |
奇幻熊 - APT-C-20
APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。
The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"
奇幻熊 - APT-C-20 is also known as:
-
APT28
-
Pawn Storm
-
Sofacy Group
-
Sednit
-
Fancy Bear
-
STRONTIUM
Links |
沙虫 - APT-C-13
沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。
The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"
沙虫 - APT-C-13 is also known as:
-
SandWorm
Links |
肚脑虫 - APT-C-35
APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。
The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"
肚脑虫 - APT-C-35 is also known as:
-
Donot
Links |
蔓灵花 - APT-C-08
蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。
The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"
蔓灵花 - APT-C-08 is also known as:
Links |
索伦之眼 - APT-C-16
索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。
The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"
索伦之眼 - APT-C-16 is also known as:
-
Sauron
-
Strider
Links |
潜行者 - APT-C-30
潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。
The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"
潜行者 - APT-C-30 is also known as:
Links |
响尾蛇 - APT-C-24
APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。
The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"
响尾蛇 - APT-C-24 is also known as:
-
SideWinder
Links |
ScarCruft - APT-C-28
APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。
The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"
ScarCruft - APT-C-28 is also known as:
-
APT37(Reaper)
-
Group123
Links |
Turla - APT-C-29
Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。
The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"
Turla - APT-C-29 is also known as:
-
Turla, Waterbug, Venomous Bear, Group 88
Links |
Carbanak - APT-C-11
Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。
The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"
Carbanak - APT-C-11 is also known as:
-
Anunak
Links |
飞鲨 - APT-C-17
APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。
The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"
飞鲨 - APT-C-17 is also known as:
Links |
方程式 - APT-C-40
APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。
The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"
方程式 - APT-C-40 is also known as:
Links |
透明部落 - APT-C-56
Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。
The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"
透明部落 - APT-C-56 is also known as:
-
APT36
-
ProjectM
-
C-Major
Links |
腾云蛇 - APT-C-61
APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。
The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"
腾云蛇 - APT-C-61 is also known as:
Links |
Kimsuky - APT-C-55
Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。
The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"
Kimsuky - APT-C-55 is also known as:
Links |
卢甘斯克组织 - APT-C-46
2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。
The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"
卢甘斯克组织 - APT-C-46 is also known as:
-
APT-C-46
Links |
旺刺组织 - APT-C-47
近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。
The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"
旺刺组织 - APT-C-47 is also known as:
-
APT-C-47
Links |
DomesticKitten - APT-C-50
Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。
The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"
DomesticKitten - APT-C-50 is also known as:
-
APT-C-50
Links |
SandCat - APT-C-32
SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。
The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"
SandCat - APT-C-32 is also known as:
Links |
CNC - APT-C-48
该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。
The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"
CNC - APT-C-48 is also known as:
Links |
蓝色魔眼 - APT-C-41
APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。
The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"
蓝色魔眼 - APT-C-41 is also known as:
Links |
Machete - APT-C-43
El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。
The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"
Machete - APT-C-43 is also known as:
-
Machete
Links |
Gamaredon - APT-C-53
Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。
The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"
Gamaredon - APT-C-53 is also known as:
Links |
北非狐 - APT-C-44
北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。
The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"
北非狐 - APT-C-44 is also known as:
Links |
WellMess - APT-C-42
WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。
The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"
WellMess - APT-C-42 is also known as:
Links |
Android
Android malware galaxy based on multiple open sources..
| Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown
CopyCat
CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.
The tag is: misp-galaxy:android="CopyCat"
Links |
Andr/Dropr-FH
Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.
The tag is: misp-galaxy:android="Andr/Dropr-FH"
Andr/Dropr-FH is also known as:
-
GhostCtrl
Andr/Dropr-FH has relationships with:
-
similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"
Links |
Judy
The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.
The tag is: misp-galaxy:android="Judy"
Links |
RedAlert2
The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.
The tag is: misp-galaxy:android="RedAlert2"
RedAlert2 has relationships with:
-
similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"
Tizi
Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.
The tag is: misp-galaxy:android="Tizi"
Links |
https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html |
DoubleLocker
DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.
The tag is: misp-galaxy:android="DoubleLocker"
DoubleLocker has relationships with:
-
similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"
Links |
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
Svpeng
Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.
The tag is: misp-galaxy:android="Svpeng"
Svpeng is also known as:
-
Invisble Man
Svpeng has relationships with:
-
similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/ |
LokiBot
LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.
The tag is: misp-galaxy:android="LokiBot"
LokiBot has relationships with:
-
similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"
Links |
https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html[https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html] |
BankBot
The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.
The tag is: misp-galaxy:android="BankBot"
BankBot has relationships with:
-
similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot |
Viking Horde
In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.
The tag is: misp-galaxy:android="Viking Horde"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
HummingBad
A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.
The tag is: misp-galaxy:android="HummingBad"
HummingBad has relationships with:
-
similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf |
Ackposts
Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.
The tag is: misp-galaxy:android="Ackposts"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99 |
Wirex
Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.
The tag is: misp-galaxy:android="Wirex"
WannaLocker
WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.
The tag is: misp-galaxy:android="WannaLocker"
Links |
https://fossbytes.com/wannalocker-ransomware-wannacry-android/ |
Switcher
Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.
The tag is: misp-galaxy:android="Switcher"
Switcher has relationships with:
-
similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"
Links |
https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/ |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99 |
Vibleaker
Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.
The tag is: misp-galaxy:android="Vibleaker"
Links |
http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml |
ExpensiveWall
ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge
The tag is: misp-galaxy:android="ExpensiveWall"
Links |
Cepsohord
Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.
The tag is: misp-galaxy:android="Cepsohord"
Links |
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord |
Fakem Rat
Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).
The tag is: misp-galaxy:android="Fakem Rat"
GM Bot
GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.
The tag is: misp-galaxy:android="GM Bot"
GM Bot is also known as:
-
Acecard
-
SlemBunk
-
Bankosy
GM Bot has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide |
Moplus
The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.
The tag is: misp-galaxy:android="Moplus"
Links |
http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html |
Adwind
Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.
The tag is: misp-galaxy:android="Adwind"
Adwind is also known as:
-
AlienSpy
-
Frutas
-
Unrecom
-
Sockrat
-
Jsocket
-
jRat
-
Backdoor:Java/Adwind
Adwind has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
AdSms
Adsms is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="AdSms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99 |
Airpush
Airpush is a very aggresive Ad - Network
The tag is: misp-galaxy:android="Airpush"
Airpush is also known as:
-
StopSMS
Links |
https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf |
BeanBot
BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.
The tag is: misp-galaxy:android="BeanBot"
Links |
https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml |
Kemoge
Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.
The tag is: misp-galaxy:android="Kemoge"
Kemoge has relationships with:
-
similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"
Links |
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99 |
Ghost Push
Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.
The tag is: misp-galaxy:android="Ghost Push"
Links |
https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push |
BeNews
The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.
The tag is: misp-galaxy:android="BeNews"
Links |
Accstealer
Accstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Accstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99 |
Acnetdoor
Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.
The tag is: misp-galaxy:android="Acnetdoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99 |
Acnetsteal
Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.
The tag is: misp-galaxy:android="Acnetsteal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99 |
Actech
Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Actech"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99 |
AdChina
AdChina is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdChina"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99 |
Adfonic
Adfonic is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adfonic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99 |
AdInfo
AdInfo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdInfo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99 |
Adknowledge
Adknowledge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adknowledge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99 |
AdMarvel
AdMarvel is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMarvel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99 |
AdMob
AdMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99 |
Adrd
Adrd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Adrd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99 |
Aduru
Aduru is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Aduru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99 |
Adwhirl
Adwhirl is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwhirl"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99 |
Adwlauncher
Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Adwlauncher"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99 |
Adwo
Adwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99 |
Airad
Airad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Airad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99 |
Alienspy
Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.
The tag is: misp-galaxy:android="Alienspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99 |
AmazonAds
AmazonAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AmazonAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99 |
Answerbot
Answerbot is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Answerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99 |
Antammi
Antammi is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Antammi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99 |
Apkmore
Apkmore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apkmore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99 |
Aplog
Aplog is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Aplog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99 |
Appenda
Appenda is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Appenda"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99 |
Apperhand
Apperhand is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apperhand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99 |
Appleservice
Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Appleservice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99 |
AppLovin
AppLovin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AppLovin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99 |
Arspam
Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.
The tag is: misp-galaxy:android="Arspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99 |
Aurecord
Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Aurecord"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99 |
Backapp
Backapp is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Backapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99 |
Backdexer
Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.
The tag is: misp-galaxy:android="Backdexer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99 |
Backflash
Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Backflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99 |
Backscript
Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.
The tag is: misp-galaxy:android="Backscript"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99 |
Badaccents
Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.
The tag is: misp-galaxy:android="Badaccents"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99 |
Badpush
Badpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Badpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99 |
Ballonpop
Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Ballonpop"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99 |
Bankosy
Bankosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Bankosy"
Bankosy has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99 |
Bankun
Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.
The tag is: misp-galaxy:android="Bankun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99 |
Basebridge
Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Basebridge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99 |
Basedao
Basedao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Basedao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99 |
Batterydoctor
Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.
The tag is: misp-galaxy:android="Batterydoctor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99 |
Beaglespy
Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Beaglespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99 |
Becuro
Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Becuro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99 |
Beita
Beita is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Beita"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99 |
Bgserv
Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Bgserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99 |
Biigespy
Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Biigespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99 |
Bmaster
Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Bmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99 |
Bossefiv
Bossefiv is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Bossefiv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99 |
Boxpush
Boxpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Boxpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99 |
Burstly
Burstly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Burstly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99 |
Buzzcity
Buzzcity is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Buzzcity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99 |
ByPush
ByPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ByPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99 |
Cajino
Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Cajino"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99 |
Casee
Casee is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Casee"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99 |
Catchtoken
Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Catchtoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99 |
Cauly
Cauly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cauly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99 |
Cellshark
Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Cellshark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99 |
Centero
Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Centero"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99 |
Chuli
Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.
The tag is: misp-galaxy:android="Chuli"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99 |
Citmo
Citmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Citmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99 |
Claco
Claco is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Claco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99 |
Clevernet
Clevernet is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Clevernet"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99 |
Cnappbox
Cnappbox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cnappbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99 |
Cobblerone
Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.
The tag is: misp-galaxy:android="Cobblerone"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99 |
Coolpaperleak
Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Coolpaperleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99 |
Coolreaper
Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.
The tag is: misp-galaxy:android="Coolreaper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99 |
Cosha
Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Cosha"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99 |
Counterclank
Counterclank is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Counterclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99 |
Crazymedia
Crazymedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Crazymedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99 |
Crisis
Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Crisis"
Crisis has relationships with:
-
similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99 |
Crusewind
Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Crusewind"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99 |
Dandro
Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.
The tag is: misp-galaxy:android="Dandro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99 |
Daoyoudao
Daoyoudao is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Daoyoudao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99 |
Deathring
Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Deathring"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99 |
Deeveemap
Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Deeveemap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99 |
Dendoroid
Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.
The tag is: misp-galaxy:android="Dendoroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99 |
Dengaru
Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.
The tag is: misp-galaxy:android="Dengaru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99 |
Diandong
Diandong is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Diandong"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99 |
Dianjin
Dianjin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dianjin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99 |
Dogowar
Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.
The tag is: misp-galaxy:android="Dogowar"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99 |
Domob
Domob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Domob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99 |
Dougalek
Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.
The tag is: misp-galaxy:android="Dougalek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99 |
Dowgin
Dowgin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dowgin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99 |
Droidsheep
Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.
The tag is: misp-galaxy:android="Droidsheep"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99 |
Dropdialer
Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Dropdialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99 |
Dupvert
Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.
The tag is: misp-galaxy:android="Dupvert"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99 |
Dynamicit
Dynamicit is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dynamicit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99 |
Ecardgrabber
Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.
The tag is: misp-galaxy:android="Ecardgrabber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99 |
Ecobatry
Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Ecobatry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99 |
Enesoluty
Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Enesoluty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99 |
Everbadge
Everbadge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Everbadge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99 |
Ewalls
Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.
The tag is: misp-galaxy:android="Ewalls"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99 |
Exprespam
Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.
The tag is: misp-galaxy:android="Exprespam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99 |
Fakealbums
Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.
The tag is: misp-galaxy:android="Fakealbums"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99 |
Fakeangry
Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Fakeangry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99 |
Fakeapp
Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.
The tag is: misp-galaxy:android="Fakeapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99 |
Fakebanco
Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.
The tag is: misp-galaxy:android="Fakebanco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99 |
Fakebank
Fakebank is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99 |
Fakebank.B
Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99 |
Fakebok
Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.
The tag is: misp-galaxy:android="Fakebok"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99 |
Fakedaum
Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakedaum"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99 |
Fakedefender
Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99 |
Fakedefender.B
Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99 |
Fakedown
Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.
The tag is: misp-galaxy:android="Fakedown"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99 |
Fakeflash
Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.
The tag is: misp-galaxy:android="Fakeflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99 |
Fakegame
Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakegame"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99 |
Fakeguard
Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakeguard"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99 |
Fakejob
Fakejob is a Trojan horse for Android devices that redirects users to scam websites.
The tag is: misp-galaxy:android="Fakejob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99 |
Fakekakao
Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.
The tag is: misp-galaxy:android="Fakekakao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99 |
Fakelemon
Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.
The tag is: misp-galaxy:android="Fakelemon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99 |
Fakelicense
Fakelicense is a Trojan horse that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Fakelicense"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99 |
Fakelogin
Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakelogin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99 |
FakeLookout
FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="FakeLookout"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99 |
FakeMart
FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.
The tag is: misp-galaxy:android="FakeMart"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99 |
Fakemini
Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.
The tag is: misp-galaxy:android="Fakemini"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99 |
Fakemrat
Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakemrat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99 |
Fakeneflic
Fakeneflic is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fakeneflic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99 |
Fakenotify
Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.
The tag is: misp-galaxy:android="Fakenotify"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99 |
Fakepatch
Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.
The tag is: misp-galaxy:android="Fakepatch"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99 |
Fakeplay
Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Fakeplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99 |
Fakescarav
Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakescarav"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99 |
Fakesecsuit
Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakesecsuit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99 |
Fakesucon
Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Fakesucon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99 |
Faketaobao
Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Faketaobao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99 |
Faketaobao.B
Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.
The tag is: misp-galaxy:android="Faketaobao.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99 |
Faketoken
Faketoken is a Trojan horse that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Faketoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99 |
http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/ |
Fakeupdate
Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.
The tag is: misp-galaxy:android="Fakeupdate"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99 |
Fakevoice
Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.
The tag is: misp-galaxy:android="Fakevoice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99 |
Farmbaby
Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Farmbaby"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99 |
Fauxtocopy
Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.
The tag is: misp-galaxy:android="Fauxtocopy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99 |
Feiwo
Feiwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Feiwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99 |
FindAndCall
FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.
The tag is: misp-galaxy:android="FindAndCall"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99 |
Finfish
Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Finfish"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99 |
Fireleaker
Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fireleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99 |
Fitikser
Fitikser is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fitikser"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99 |
Flexispy
Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Flexispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99 |
Fokonge
Fokonge is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fokonge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99 |
FoncySMS
FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.
The tag is: misp-galaxy:android="FoncySMS"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99 |
Frogonal
Frogonal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Frogonal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99 |
Ftad
Ftad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ftad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99 |
Funtasy
Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.
The tag is: misp-galaxy:android="Funtasy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99 |
GallMe
GallMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="GallMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99 |
Gamex
Gamex is a Trojan horse for Android devices that downloads further threats.
The tag is: misp-galaxy:android="Gamex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99 |
Gappusin
Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.
The tag is: misp-galaxy:android="Gappusin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99 |
Gazon
Gazon is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Gazon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99 |
Geinimi
Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Geinimi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99 |
Generisk
Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.
The tag is: misp-galaxy:android="Generisk"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99 |
Genheur
Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.
The tag is: misp-galaxy:android="Genheur"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99 |
Genpush
Genpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Genpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99 |
GeoFake
GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.
The tag is: misp-galaxy:android="GeoFake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99 |
Geplook
Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.
The tag is: misp-galaxy:android="Geplook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99 |
Getadpush
Getadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Getadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99 |
Ggtracker
Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.
The tag is: misp-galaxy:android="Ggtracker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99 |
Ghostpush
Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Ghostpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99 |
Gmaster
Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Gmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99 |
Godwon
Godwon is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Godwon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99 |
Golddream
Golddream is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Golddream"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99 |
Goldeneagle
Goldeneagle is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Goldeneagle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99 |
Golocker
Golocker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Golocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99 |
Gomal
Gomal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Gomal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99 |
Gonesixty
Gonesixty is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonesixty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99 |
Gonfu
Gonfu is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99 |
Gonfu.B
Gonfu.B is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99 |
Gonfu.C
Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.
The tag is: misp-galaxy:android="Gonfu.C"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99 |
Gonfu.D
Gonfu.D is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Gonfu.D"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99 |
Gooboot
Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.
The tag is: misp-galaxy:android="Gooboot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99 |
Goodadpush
Goodadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Goodadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99 |
Greystripe
Greystripe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Greystripe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99 |
Gugespy
Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Gugespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99 |
Gugespy.B
Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Gugespy.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99 |
Gupno
Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.
The tag is: misp-galaxy:android="Gupno"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99 |
Habey
Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Habey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99 |
Handyclient
Handyclient is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Handyclient"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99 |
Hehe
Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.
The tag is: misp-galaxy:android="Hehe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99 |
Hesperbot
Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="Hesperbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99 |
Hippo
Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99 |
Hippo.B
Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99 |
IadPush
IadPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="IadPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99 |
iBanking
iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="iBanking"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99 |
Iconosis
Iconosis is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosis"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99 |
Iconosys
Iconosys is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosys"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99 |
Igexin
Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,
The tag is: misp-galaxy:android="Igexin"
Igexin is also known as:
-
IcicleGum
Igexin has relationships with:
-
similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"
ImAdPush
ImAdPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ImAdPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99 |
InMobi
InMobi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="InMobi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99 |
Jifake
Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Jifake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99 |
Jollyserv
Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Jollyserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99 |
Jsmshider
Jsmshider is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Jsmshider"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99 |
Ju6
Ju6 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ju6"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99 |
Jumptap
Jumptap is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jumptap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99 |
Jzmob
Jzmob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jzmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99 |
Kabstamper
Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.
The tag is: misp-galaxy:android="Kabstamper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99 |
Kidlogger
Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Kidlogger"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99 |
Kielog
Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.
The tag is: misp-galaxy:android="Kielog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99 |
Kituri
Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Kituri"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99 |
Kranxpay
Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.
The tag is: misp-galaxy:android="Kranxpay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99 |
Krysanec
Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Krysanec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99 |
Kuaidian360
Kuaidian360 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuaidian360"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99 |
Kuguo
Kuguo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuguo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99 |
Lastacloud
Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Lastacloud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99 |
Laucassspy
Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Laucassspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99 |
Lifemonspy
Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.
The tag is: misp-galaxy:android="Lifemonspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99 |
Lightdd
Lightdd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Lightdd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99 |
Loaderpush
Loaderpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Loaderpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99 |
Locaspy
Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.
The tag is: misp-galaxy:android="Locaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99 |
Lockdroid.E
Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.E"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99 |
Lockdroid.F
Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.F"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99 |
Lockdroid.G
Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.G"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99 |
Lockdroid.H
Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.H"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99 |
Lockscreen
Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.
The tag is: misp-galaxy:android="Lockscreen"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99 |
LogiaAd
LogiaAd is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="LogiaAd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99 |
Loicdos
Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.
The tag is: misp-galaxy:android="Loicdos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99 |
Loozfon
Loozfon is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Loozfon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99 |
Lotoor
Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.
The tag is: misp-galaxy:android="Lotoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99 |
Lovespy
Lovespy is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Lovespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99 |
Lovetrap
Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Lovetrap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99 |
Luckycat
Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="Luckycat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99 |
Machinleak
Machinleak is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Machinleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99 |
Maistealer
Maistealer is a Trojan that steals information from Android devices.
The tag is: misp-galaxy:android="Maistealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99 |
Malapp
Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.
The tag is: misp-galaxy:android="Malapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99 |
Malebook
Malebook is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malebook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99 |
Malhome
Malhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99 |
Malminer
Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.
The tag is: misp-galaxy:android="Malminer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99 |
Mania
Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Mania"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99 |
Maxit
Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.
The tag is: misp-galaxy:android="Maxit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99 |
MdotM
MdotM is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MdotM"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99 |
Medialets
Medialets is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Medialets"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99 |
Meshidden
Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Meshidden"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99 |
Mesploit
Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.
The tag is: misp-galaxy:android="Mesploit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99 |
Mesprank
Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Mesprank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99 |
Meswatcherbox
Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.
The tag is: misp-galaxy:android="Meswatcherbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99 |
Miji
Miji is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Miji"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99 |
Milipnot
Milipnot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Milipnot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99 |
MillennialMedia
MillennialMedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MillennialMedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99 |
Mitcad
Mitcad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mitcad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99 |
MobClix
MobClix is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobClix"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99 |
MobFox
MobFox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobFox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99 |
Mobidisplay
Mobidisplay is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobidisplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99 |
Mobigapp
Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.
The tag is: misp-galaxy:android="Mobigapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99 |
MobileBackup
MobileBackup is a spyware application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="MobileBackup"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99 |
Mobilespy
Mobilespy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Mobilespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99 |
Mobiletx
Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Mobiletx"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99 |
Mobinaspy
Mobinaspy is a spyware application for Android devices that can track the device’s location.
The tag is: misp-galaxy:android="Mobinaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99 |
Mobus
Mobus is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99 |
MobWin
MobWin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobWin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99 |
Mocore
Mocore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mocore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99 |
Moghava
Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.
The tag is: misp-galaxy:android="Moghava"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99 |
Momark
Momark is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Momark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99 |
Monitorello
Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Monitorello"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99 |
Moolah
Moolah is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Moolah"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99 |
MoPub
MoPub is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MoPub"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99 |
Morepaks
Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.
The tag is: misp-galaxy:android="Morepaks"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99 |
Nandrobox
Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.
The tag is: misp-galaxy:android="Nandrobox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99 |
Netisend
Netisend is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Netisend"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99 |
Nickispy
Nickispy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Nickispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99 |
Notcompatible
Notcompatible is a Trojan horse for Android devices that acts as a proxy.
The tag is: misp-galaxy:android="Notcompatible"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99 |
Nuhaz
Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.
The tag is: misp-galaxy:android="Nuhaz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99 |
Nyearleaker
Nyearleaker is a Trojan horse program for Android devices that steals information.
The tag is: misp-galaxy:android="Nyearleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99 |
Obad
Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.
The tag is: misp-galaxy:android="Obad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99 |
Oneclickfraud
Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.
The tag is: misp-galaxy:android="Oneclickfraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99 |
Opfake
Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.
The tag is: misp-galaxy:android="Opfake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99 |
Opfake.B
Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.
The tag is: misp-galaxy:android="Opfake.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99 |
Ozotshielder
Ozotshielder is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Ozotshielder"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99 |
Pafloat
Pafloat is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pafloat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99 |
PandaAds
PandaAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="PandaAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99 |
Pandbot
Pandbot is a Trojan horse for Android devices that may download more files onto the device.
The tag is: misp-galaxy:android="Pandbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99 |
Pdaspy
Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Pdaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99 |
Penetho
Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.
The tag is: misp-galaxy:android="Penetho"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99 |
Perkel
Perkel is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Perkel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99 |
Phimdropper
Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.
The tag is: misp-galaxy:android="Phimdropper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99 |
Phospy
Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.
The tag is: misp-galaxy:android="Phospy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99 |
Piddialer
Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.
The tag is: misp-galaxy:android="Piddialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99 |
Pikspam
Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.
The tag is: misp-galaxy:android="Pikspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99 |
Pincer
Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pincer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99 |
Pirator
Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Pirator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99 |
Pjapps
Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.
The tag is: misp-galaxy:android="Pjapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99 |
Pjapps.B
Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pjapps.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99 |
Pletora
Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.
The tag is: misp-galaxy:android="Pletora"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99 |
Poisoncake
Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.
The tag is: misp-galaxy:android="Poisoncake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99 |
Pontiflex
Pontiflex is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pontiflex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99 |
Positmob
Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.
The tag is: misp-galaxy:android="Positmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99 |
Premiumtext
Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.
The tag is: misp-galaxy:android="Premiumtext"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99 |
Pris
Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.
The tag is: misp-galaxy:android="Pris"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99 |
Qdplugin
Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Qdplugin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99 |
Qicsomos
Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Qicsomos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99 |
Qitmo
Qitmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Qitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99 |
Rabbhome
Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Rabbhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99 |
Repane
Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.
The tag is: misp-galaxy:android="Repane"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99 |
Reputation.1
Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.1"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99 |
Reputation.2
Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.2"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99 |
Reputation.3
Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.3"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99 |
RevMob
RevMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="RevMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99 |
Roidsec
Roidsec is a Trojan horse for Android devices that steals confidential information.
The tag is: misp-galaxy:android="Roidsec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99 |
Rootcager
Rootcager is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Rootcager"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99 |
Rootnik
Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.
The tag is: misp-galaxy:android="Rootnik"
Rootnik has relationships with:
-
similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99 |
Rufraud
Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Rufraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99 |
Rusms
Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Rusms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99 |
Samsapo
Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.
The tag is: misp-galaxy:android="Samsapo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99 |
Sandorat
Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.
The tag is: misp-galaxy:android="Sandorat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99 |
Sberick
Sberick is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sberick"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99 |
Scartibro
Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.
The tag is: misp-galaxy:android="Scartibro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99 |
Scipiex
Scipiex is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Scipiex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99 |
Selfmite
Selfmite is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99 |
Selfmite.B
Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99 |
SellARing
SellARing is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SellARing"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99 |
SendDroid
SendDroid is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SendDroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99 |
Simhosy
Simhosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Simhosy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99 |
Simplocker
Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99 |
Simplocker.B
Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99 |
Skullkey
Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.
The tag is: misp-galaxy:android="Skullkey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99 |
Smaato
Smaato is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Smaato"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99 |
Smbcheck
Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.
The tag is: misp-galaxy:android="Smbcheck"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99 |
Smsblocker
Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.
The tag is: misp-galaxy:android="Smsblocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99 |
Smsbomber
Smsbomber is a program that can be used to send messages to contacts on the device.
The tag is: misp-galaxy:android="Smsbomber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99 |
Smslink
Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.
The tag is: misp-galaxy:android="Smslink"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99 |
Smspacem
Smspacem is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="Smspacem"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99 |
SMSReplicator
SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.
The tag is: misp-galaxy:android="SMSReplicator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99 |
Smssniffer
Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.
The tag is: misp-galaxy:android="Smssniffer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99 |
Smsstealer
Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smsstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99 |
Smstibook
Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Smstibook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99 |
Smszombie
Smszombie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smszombie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99 |
Snadapps
Snadapps is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Snadapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99 |
Sockbot
Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.
The tag is: misp-galaxy:android="Sockbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99 |
Sockrat
Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Sockrat"
Sockrat has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99 |
Sofacy
Sofacy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sofacy"
Sofacy has relationships with:
-
similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99 |
Sosceo
Sosceo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Sosceo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99 |
Spitmo
Spitmo is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Spitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99 |
Spitmo.B
Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spitmo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99 |
Spyagent
Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Spyagent"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99 |
Spybubble
Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Spybubble"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99 |
Spydafon
Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="Spydafon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99 |
Spymple
Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Spymple"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99 |
Spyoo
Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spyoo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99 |
Spytekcell
Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytekcell"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99 |
Spytrack
Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytrack"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99 |
Spywaller
Spywaller is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spywaller"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99 |
Stealthgenie
Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Stealthgenie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99 |
Steek
Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.
The tag is: misp-galaxy:android="Steek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99 |
Stels
Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Stels"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99 |
Stiniter
Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Stiniter"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99 |
Sumzand
Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Sumzand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99 |
Sysecsms
Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sysecsms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99 |
Tanci
Tanci is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tanci"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99 |
Tapjoy
Tapjoy is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tapjoy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99 |
Tapsnake
Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.
The tag is: misp-galaxy:android="Tapsnake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99 |
Tascudap
Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.
The tag is: misp-galaxy:android="Tascudap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99 |
Teelog
Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Teelog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99 |
Temai
Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.
The tag is: misp-galaxy:android="Temai"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99 |
Tetus
Tetus is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Tetus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99 |
Tgpush
Tgpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tgpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99 |
Tigerbot
Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Tigerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99 |
Tonclank
Tonclank is a Trojan horse that steals information and may open a back door on Android devices.
The tag is: misp-galaxy:android="Tonclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99 |
Trogle
Trogle is a worm for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Trogle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99 |
Twikabot
Twikabot is a Trojan horse for Android devices that attempts to steal information.
The tag is: misp-galaxy:android="Twikabot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99 |
Uapush
Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Uapush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99 |
Umeng
Umeng is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Umeng"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99 |
Updtbot
Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.
The tag is: misp-galaxy:android="Updtbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99 |
Upush
Upush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Upush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99 |
Uracto
Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.
The tag is: misp-galaxy:android="Uracto"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99 |
Uranico
Uranico is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Uranico"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99 |
Usbcleaver
Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Usbcleaver"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99 |
Utchi
Utchi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Utchi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99 |
Uten
Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.
The tag is: misp-galaxy:android="Uten"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99 |
Uupay
Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.
The tag is: misp-galaxy:android="Uupay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99 |
Uxipp
Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Uxipp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99 |
Vdloader
Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.
The tag is: misp-galaxy:android="Vdloader"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99 |
VDopia
VDopia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VDopia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99 |
Virusshield
Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.
The tag is: misp-galaxy:android="Virusshield"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99 |
VServ
VServ is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VServ"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99 |
Walkinwat
Walkinwat is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Walkinwat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99 |
Waps
Waps is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99 |
Waren
Waren is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waren"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99 |
Windseeker
Windseeker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Windseeker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99 |
Wiyun
Wiyun is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wiyun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99 |
Wooboo
Wooboo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wooboo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99 |
Wqmobile
Wqmobile is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wqmobile"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99 |
YahooAds
YahooAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YahooAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99 |
Yatoot
Yatoot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Yatoot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99 |
Yinhan
Yinhan is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Yinhan"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99 |
Youmi
Youmi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Youmi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99 |
YuMe
YuMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YuMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99 |
Zeahache
Zeahache is a Trojan horse that elevates privileges on the compromised device.
The tag is: misp-galaxy:android="Zeahache"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99 |
ZertSecurity
ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.
The tag is: misp-galaxy:android="ZertSecurity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99 |
ZestAdz
ZestAdz is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ZestAdz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99 |
Zeusmitmo
Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Zeusmitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99 |
SLocker
The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.
The tag is: misp-galaxy:android="SLocker"
SLocker is also known as:
-
SMSLocker
Links |
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/ |
Loapi
A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.
The tag is: misp-galaxy:android="Loapi"
Links |
Podec
Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.
The tag is: misp-galaxy:android="Podec"
Links |
Chamois
Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.
The tag is: misp-galaxy:android="Chamois"
IcicleGum
IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.
The tag is: misp-galaxy:android="IcicleGum"
IcicleGum has relationships with:
-
similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BreadSMS
BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.
The tag is: misp-galaxy:android="BreadSMS"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
JamSkunk
JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.
The tag is: misp-galaxy:android="JamSkunk"
Expensive Wall
Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.
The tag is: misp-galaxy:android="Expensive Wall"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BambaPurple
BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.
The tag is: misp-galaxy:android="BambaPurple"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
KoreFrog
KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.
The tag is: misp-galaxy:android="KoreFrog"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
Gaiaphish
Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)
The tag is: misp-galaxy:android="Gaiaphish"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
RedDrop
RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.
The tag is: misp-galaxy:android="RedDrop"
Links |
https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/ |
HenBox
HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.
The tag is: misp-galaxy:android="HenBox"
Links |
https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/ |
MysteryBot
Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.
The tag is: misp-galaxy:android="MysteryBot"
MysteryBot has relationships with:
-
similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"
Links |
Skygofree
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.
The tag is: misp-galaxy:android="Skygofree"
Skygofree has relationships with:
-
similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
BusyGasper
A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.
The tag is: misp-galaxy:android="BusyGasper"
Links |
Triout
Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.
The tag is: misp-galaxy:android="Triout"
Links |
AndroidOS_HidenAd
active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store
The tag is: misp-galaxy:android="AndroidOS_HidenAd"
AndroidOS_HidenAd is also known as:
-
AndroidOS_HiddenAd
Links |
Razdel
The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.
The tag is: misp-galaxy:android="Razdel"
Links |
https://mobile.twitter.com/pr3wtd/status/1097477833625088000 |
Vulture
Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.
The tag is: misp-galaxy:android="Vulture"
Links |
https://twitter.com/icebre4ker/status/1485651238175846400[https://twitter.com/icebre4ker/status/1485651238175846400] |
Anubis
Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.
The tag is: misp-galaxy:android="Anubis"
Links |
GodFather
The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.
The tag is: misp-galaxy:android="GodFather"
GodFather has relationships with:
-
successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"
Links |
Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..
| Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Microsoft - Karl Fosaaen - Nestori Syynimaa - Ryan Cobb - Roberto Rodriguez - Manuel Berrueta - Jonny Johnson - Dor Edry - Ram Pliskin - Nikhil Mittal - MITRE ATT&CK
AZT101 - Port Mapping
It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group
The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101 |
AZT102 - IP Discovery
It is possible to view the IP address on a resource by viewing the Virtual Network Interface
The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102 |
AZT103 - Public Accessible Resource
A resource within Azure is accessible from the public internet.
The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103 |
AZT104 - Gather User Information
An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.
The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104 |
AZT105 - Gather Application Information
An adversary may obtain information about an application within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105 |
AZT106 - Gather Role Information
An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.
The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106 |
AZT106.1 - Gather AAD Role Information
An adversary may gather role assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1 |
AZT106.2 - Gather Application Role Information
An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2 |
AZT106.3 - Gather Azure Resources Role Assignments
An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.
The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3 |
AZT107 - Gather Resource Data
An adversary may obtain information and data within a resource.
The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107 |
AZT108 - Gather Victim Data
An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.
The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108 |
AZT201 - Valid Credentials
Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.
The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201 |
AZT201.1 - User Account
By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.
The tag is: misp-galaxy:atrm="AZT201.1 - User Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1 |
AZT201.2 - Service Principal
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2 |
AZT202 - Password Spraying
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202 |
AZT203 - Malicious Application Consent
An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.
The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203 |
AZT301 - Virtual Machine Scripting
Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.
The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301 |
AZT301.1 - RunCommand
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1 |
AZT301.2 - CustomScriptExtension
By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2 |
AZT301.3 - Desired State Configuration
By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3 |
AZT301.4 - Compute Gallery Application
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4 |
AZT301.5 - AKS Command Invoke
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM
The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5 |
AZT301.6 - Vmss Run Command
By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6 |
AZT301.7 - Serial Console
By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.
The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7 |
AZT302 - Serverless Scripting
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302 |
AZT302.1 - Automation Account Runbook Hybrid Worker Group
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1 |
AZT302.2 - Automation Account Runbook RunAs Account
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2 |
AZT302.3 - Automation Account Runbook Managed Identity
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3 |
AZT302.4 - Function Application
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4 |
AZT303 - Managed Device Scripting
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303 |
AZT401 - Privileged Identity Management Role
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401 |
AZT402 - Elevated Access Toggle
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402 |
AZT403 - Local Resource Hijack
By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.
The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1 |
AZT404 - Principal Impersonation
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404 |
AZT404.1 - Function Application
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1 |
AZT404.2 - Logic Application
By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2 |
AZT404.3 - Automation Account
By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3 |
AZT404.4 - App Service
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.4 - App Service"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4 |
AZT405 - Azure AD Application
Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405 |
AZT405.1 - Application API Permissions
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1 |
AZT405.2 - Application Role
By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2 |
AZT405.3 - Application Registration Owner
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3 |
AZT501 - Account Manipulation
An adverary may manipulate an account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501 |
AZT501.1 - User Account Manipulation
An adverary may manipulate a user account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1 |
AZT501.2 - Service Principal Manipulation
An adverary may manipulate a service principal to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2 |
AZT501.3 - Azure VM Local Administrator Manipulation
An adverary may manipulate the local admin account on an Azure VM
The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3 |
AZT502 - Account Creation
An adversary may create an account in Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT502 - Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502 |
AZT502.1 - User Account Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1 |
AZT502.2 - Service Principal Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2 |
AZT502.3 - Guest Account Creation
An adversary may create a guest account in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3 |
AZT503 - HTTP Trigger
Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503 |
AZT503.1 - Logic Application HTTP Trigger
Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1 |
AZT503.2 - Function App HTTP Trigger
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2 |
AZT503.3 - Runbook Webhook
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3 |
AZT503.4 - WebJob
Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4 |
AZT504 - Watcher Tasks
By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504 |
AZT505 - Scheduled Jobs
Adversaries may create a schedule for a Runbook to run at a defined interval.
The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1 |
AZT506 - Network Security Group Modification
Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506 |
AZT507 - External Entity Access
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507 |
AZT507.1 - Azure Lighthouse
Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant
The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1 |
AZT507.2 - Microsoft Partners
Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2 |
AZT507.3 - Subscription Hijack
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3 |
AZT507.4 - Domain Trust Modification
An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4 |
AZT508 - Azure Policy
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508 |
AZT601 - Steal Managed Identity JsonWebToken
An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.
The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601 |
AZT601.1 - Virtual Machine IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1 |
AZT601.2 - Azure Kubernetes Service IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2 |
AZT601.3 - Logic Application JWT PUT Request
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3 |
AZT601.4 - Function Application JWT GET Request
If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4 |
AZT601.5 - Automation Account Runbook
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5 |
AZT602 - Steal Service Principal Certificate
If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.
The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1 |
AZT603 - Service Principal Secret Reveal
If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.
The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1 |
AZT604 - Azure KeyVault Dumping
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604 |
AZT604.1 - Azure KeyVault Secret Dump
By accessing an Azure Key Vault, an adversary may dump any or all secrets.
The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1 |
AZT604.2 - Azure KeyVault Certificate Dump
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2 |
AZT604.3 - Azure KeyVault Key Dump
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3 |
AZT605 - Resource Secret Reveal
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605 |
AZT605.1 - Storage Account Access Key Dumping
By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.
The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1 |
AZT605.2 - Automation Account Credential Secret Dump
By editing a Runbook, a credential configured in an Automation Account may be revealed
The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2 |
AZT605.3 - Resource Group Deployment History Secret Dump
By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.
The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3 |
AZT701 - SAS URI Generation
By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701 |
AZT701.1 - VM Disk SAS URI
An adversary may create an SAS URI to download the disk attached to a virtual machine.
The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1 |
AZT701.2 - Storage Account File Share SAS
By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2 |
AZT702 - File Share Mounting
An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1 |
AZT703 - Replication
By setting up cross-tenant replication, an adversary may set up replication from one tenant’s storage account to an extrenal tenant’s storage account.
The tag is: misp-galaxy:atrm="AZT703 - Replication"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1 |
AZT704 - Soft-Delete Recovery
An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704 |
AZT704.1 - Key Vault
An adversary may recover a key vault object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1 |
AZT704.2 - Storage Account Object
An adversary may recover a storage account object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2 |
AZT704.3 - Recovery Services Vault
An adversary may recover a virtual machine object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3 |
attck4fraud
attck4fraud - Principles of MITRE ATT&CK in the fraud domain.
| attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Francesco Bigarella
Phishing
In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.
The tag is: misp-galaxy:financial-fraud="Phishing"
Links |
Spear phishing
Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.
The tag is: misp-galaxy:financial-fraud="Spear phishing"
Links |
ATM skimming
ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.
The tag is: misp-galaxy:financial-fraud="ATM skimming"
ATM Shimming
ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.
The tag is: misp-galaxy:financial-fraud="ATM Shimming"
Account-Checking Services
Account-Checking Services
The tag is: misp-galaxy:financial-fraud="Account-Checking Services"
ATM Black Box Attack
ATM Black Box Attack
The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"
Buying/Renting Fraud
Buying/Renting Fraud
The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"
Business Email Compromise
Business Email Compromise
The tag is: misp-galaxy:financial-fraud="Business Email Compromise"
Compromised Payment Cards
Compromised Payment Cards
The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"
Compromised Account Credentials
Compromised Account Credentials
The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"
Compromised Personally Identifiable Information (PII)
Compromised Personally Identifiable Information (PII)
The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"
Compromised Intellectual Property (IP)
Compromised Intellectual Property (IP)
The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"
Cryptocurrency Exchange
Cryptocurrency Exchange
The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"
ATM Explosive Attack
ATM Explosive Attack
The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"
Backdoor
A list of backdoor malware..
| Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
raw-data
WellMess
Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.
The tag is: misp-galaxy:backdoor="WellMess"
WellMess has relationships with:
-
similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"
Links |
Rosenbridge
The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.
While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.
The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.
The tag is: misp-galaxy:backdoor="Rosenbridge"
Links |
ServHelper
The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.
"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.
The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.
The tag is: misp-galaxy:backdoor="ServHelper"
Links |
Rising Sun
The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.
The tag is: misp-galaxy:backdoor="Rising Sun"
Links |
https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/ |
SLUB
A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.
The tag is: misp-galaxy:backdoor="SLUB"
SLUB has relationships with:
-
similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"
Links |
Asruex
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.
The tag is: misp-galaxy:backdoor="Asruex"
Links |
Speculoos
FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.
The tag is: misp-galaxy:backdoor="Speculoos"
Speculoos has relationships with:
-
used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"
Links |
Mori Backdoor
Mori Backdoor has been used by Seedworm.
The tag is: misp-galaxy:backdoor="Mori Backdoor"
Links |
BazarBackdoor
Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.
The tag is: misp-galaxy:backdoor="BazarBackdoor"
BazarBackdoor is also known as:
-
BEERBOT
-
KEGTAP
-
Team9Backdoor
-
bazaloader
-
bazarloader
-
bazaarloader
Links |
https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/ |
SUNBURST
Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.
The tag is: misp-galaxy:backdoor="SUNBURST"
SUNBURST is also known as:
-
Solarigate
SUNBURST has relationships with:
-
dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"
Links |
https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/ |
BPFDoor
BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant
The tag is: misp-galaxy:backdoor="BPFDoor"
Links |
https://twitter.com/CraigHRowland/status/1523266585133457408 |
BOLDMOVE
According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).
The tag is: misp-galaxy:backdoor="BOLDMOVE"
Banker
A list of banker malware..
| Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown - raw-data
Zeus
Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.
The tag is: misp-galaxy:banker="Zeus"
Zeus is also known as:
-
Zbot
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://usa.kaspersky.com/resource-center/threats/zeus-virus |
Vawtrak
Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.
The tag is: misp-galaxy:banker="Vawtrak"
Vawtrak is also known as:
-
Neverquest
Vawtrak has relationships with:
-
similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"
Dridex
Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.
The tag is: misp-galaxy:banker="Dridex"
Dridex is also known as:
-
Feodo Version D
-
Cridex
Dridex has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"
Links |
Gozi
Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010
The tag is: misp-galaxy:banker="Gozi"
Gozi is also known as:
-
Ursnif
-
CRM
-
Snifula
-
Papras
Gozi has relationships with:
-
similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"
Links |
https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 |
Goziv2
Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.
The tag is: misp-galaxy:banker="Goziv2"
Goziv2 is also known as:
-
Prinimalka
Links |
Gozi ISFB
Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.
The tag is: misp-galaxy:banker="Gozi ISFB"
Gozi ISFB has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
Dreambot
Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.
The tag is: misp-galaxy:banker="Dreambot"
Links |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
IAP
Gozi ISFB variant
The tag is: misp-galaxy:banker="IAP"
IAP has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
GozNym
GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.
The tag is: misp-galaxy:banker="GozNym"
Links |
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/ |
Zloader Zeus
Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Zloader Zeus"
Zloader Zeus is also known as:
-
Zeus Terdot
Zloader Zeus has relationships with:
-
similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"
Links |
https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle |
Zeus VM
Zeus variant that utilizes steganography in image files to retrieve configuration file.
The tag is: misp-galaxy:banker="Zeus VM"
Zeus VM is also known as:
-
VM Zeus
Zeus VM has relationships with:
-
similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/ |
Zeus Sphinx
Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.
The tag is: misp-galaxy:banker="Zeus Sphinx"
Zeus Sphinx has relationships with:
-
similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/ |
Panda Banker
Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Panda Banker"
Panda Banker is also known as:
-
Zeus Panda
Links |
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market |
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf |
Zeus KINS
Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.
The tag is: misp-galaxy:banker="Zeus KINS"
Zeus KINS is also known as:
-
Kasper Internet Non-Security
-
Maple
Zeus KINS has relationships with:
-
similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/ |
Chthonic
Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
The tag is: misp-galaxy:banker="Chthonic"
Chthonic is also known as:
-
Chtonic
Chthonic has relationships with:
-
similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/ |
Trickbot
Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan
The tag is: misp-galaxy:banker="Trickbot"
Trickbot is also known as:
-
Trickster
-
Trickloader
Trickbot has relationships with:
-
similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"
Dyre
Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.
The tag is: misp-galaxy:banker="Dyre"
Dyre is also known as:
-
Dyreza
Dyre has relationships with:
-
similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ |
Tinba
Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.
The tag is: misp-galaxy:banker="Tinba"
Tinba is also known as:
-
Zusy
-
TinyBanker
-
illi
Tinba has relationships with:
-
similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"
Geodo
Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.
The tag is: misp-galaxy:banker="Geodo"
Geodo is also known as:
-
Feodo Version C
-
Emotet
Geodo has relationships with:
-
similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/ |
https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet |
Feodo
Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Feodo"
Feodo is also known as:
-
Bugat
-
Cridex
Feodo has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"
Links |
http://stopmalvertising.com/rootkits/analysis-of-cridex.html |
Ramnit
Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.
The tag is: misp-galaxy:banker="Ramnit"
Ramnit is also known as:
-
Nimnul
Ramnit has relationships with:
-
similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ |
Qakbot
Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.
The tag is: misp-galaxy:banker="Qakbot"
Qakbot is also known as:
-
Qbot
-
Pinkslipbot
-
Akbot
Qakbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"
Corebot
Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Corebot"
Corebot has relationships with:
-
similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"
Links |
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ |
TinyNuke
TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="TinyNuke"
TinyNuke is also known as:
-
NukeBot
-
Nuclear Bot
-
MicroBankingTrojan
-
Xbot
TinyNuke has relationships with:
-
similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"
Retefe
Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.
The tag is: misp-galaxy:banker="Retefe"
Retefe is also known as:
-
Tsukuba
-
Werdlod
Retefe has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
ReactorBot
ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="ReactorBot"
ReactorBot has relationships with:
-
similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"
Matrix Banker
Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="Matrix Banker"
Matrix Banker has relationships with:
-
similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"
Links |
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/ |
Zeus Gameover
Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Zeus Gameover"
Links |
SpyEye
SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="SpyEye"
Links |
https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf |
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot |
Citadel
Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.
The tag is: misp-galaxy:banker="Citadel"
Citadel has relationships with:
-
similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ |
Atmos
Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Atmos"
Links |
https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/ |
Ice IX
Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.
The tag is: misp-galaxy:banker="Ice IX"
Ice IX has relationships with:
-
similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ] |
Zitmo
Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.
The tag is: misp-galaxy:banker="Zitmo"
Links |
https://securelist.com/zeus-in-the-mobile-for-android-10/29258/ |
Licat
Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011
The tag is: misp-galaxy:banker="Licat"
Licat is also known as:
-
Murofet
Licat has relationships with:
-
similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"
Links |
https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/ |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A |
Skynet
Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.
The tag is: misp-galaxy:banker="Skynet"
Links |
https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/ |
IcedID
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
The tag is: misp-galaxy:banker="IcedID"
IcedID is also known as:
-
BokBot
IcedID has relationships with:
-
similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"
GratefulPOS
GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.
The tag is: misp-galaxy:banker="GratefulPOS"
GratefulPOS has relationships with:
-
similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"
Links |
Dok
A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.
The tag is: misp-galaxy:banker="Dok"
Dok has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
Links |
downAndExec
Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.
The tag is: misp-galaxy:banker="downAndExec"
Links |
https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/ |
Smominru
Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.
The tag is: misp-galaxy:banker="Smominru"
Smominru is also known as:
-
Ismo
-
lsmo
Smominru has relationships with:
-
similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"
Links |
DanaBot
It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)
The tag is: misp-galaxy:banker="DanaBot"
DanaBot has relationships with:
-
similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"
Links |
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 |
Backswap
The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload
The tag is: misp-galaxy:banker="Backswap"
Links |
https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/ |
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/ |
Bebloh
The tag is: misp-galaxy:banker="Bebloh"
Bebloh is also known as:
-
URLZone
-
Shiotob
Bebloh has relationships with:
-
similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2011-041411-0912-99 |
Banjori
The tag is: misp-galaxy:banker="Banjori"
Banjori is also known as:
-
MultiBanker 2
-
BankPatch
-
BackPatcher
Banjori has relationships with:
-
similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"
Links |
Qadars
The tag is: misp-galaxy:banker="Qadars"
Qadars has relationships with:
-
similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"
Links |
https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/ |
Ranbyus
The tag is: misp-galaxy:banker="Ranbyus"
Ranbyus has relationships with:
-
similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"
Links |
Fobber
The tag is: misp-galaxy:banker="Fobber"
Fobber has relationships with:
-
similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"
Links |
Karius
Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.
The tag is: misp-galaxy:banker="Karius"
Karius has relationships with:
-
similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"
Links |
https://research.checkpoint.com/banking-trojans-development/ |
Kronos
Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.
The tag is: misp-galaxy:banker="Kronos"
Kronos has relationships with:
-
similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/ |
CamuBot
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
The tag is: misp-galaxy:banker="CamuBot"
CamuBot has relationships with:
-
similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"
Dark Tequila
Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.
The tag is: misp-galaxy:banker="Dark Tequila"
Links |
https://thehackernews.com/2018/08/mexico-banking-malware.html |
Malteiro
Distributed by Malteiro
The tag is: misp-galaxy:banker="Malteiro"
Malteiro is also known as:
-
URSA
Malteiro has relationships with:
-
delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"
Links |
Bhadra Framework
Bhadra Threat Modeling Framework.
| Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura
Attacks from UE
"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.
The tag is: misp-galaxy:bhadra-framework="Attacks from UE"
SIM-based attacks
The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.
The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"
Attacks from radio access network
The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.
The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"
Attacks from other mobile network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"
Attacks with access to transport network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"
Attacks from IP-based network
The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.
The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"
Insider attacks and human errors
The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.
The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"
Infecting UE hardware or software
Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.
The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"
Infecting SIM cards
Retaining the foothold gained on the target system through the initial access by infecting SIM cards.
The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"
Spoofed radio network
Retaining the foothold gained on the target system through the initial access by radio network spoofing.
The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"
Infecting network nodes
Retaining the foothold gained on the target system through the initial access by infecting network nodes.
The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"
Covert channels
Retaining the foothold gained on the target system through the initial access via covert channels.
The tag is: misp-galaxy:bhadra-framework="Covert channels"
Port scanning or sweeping
"Port scanning or sweeping" techniques to probe servers or hosts with open ports.
The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"
Perimeter mapping
"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.
The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"
Threat intelligence gathering
"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.
The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"
CN-specific scanning
"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).
The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"
Internal resource search
"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.
The tag is: misp-galaxy:bhadra-framework="Internal resource search"
UE knocking
"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.
The tag is: misp-galaxy:bhadra-framework="UE knocking"
Exploit roaming agreements
"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.
The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"
Abusing interworking functionalities
"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally
The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"
Exploit platform & service-specific vulnerabilities
Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.
The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"
SS7-based-attacks
Attacks abusing the SS7 protocol.
The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"
Diameter-based attacks
Attacks abusing the Diameter protocol.
The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"
GTP-based attacks
Attacks abusing the GTP protocol.
The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"
Pre-AKA attacks
Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.
The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"
Security audit camouflage
The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.
The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"
Blacklist evasion
Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.
The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"
Middlebox misconfiguration exploits
NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.
The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"
Bypass Firewall
Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.
The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"
Bypass homerouting
SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.
The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"
Downgrading
Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.
The tag is: misp-galaxy:bhadra-framework="Downgrading"
Redirection
Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.
The tag is: misp-galaxy:bhadra-framework="Redirection"
UE Protection evasion
Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.
The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"
Admin credentials
Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.
The tag is: misp-galaxy:bhadra-framework="Admin credentials"
User-specific identifiers
User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case
The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"
User-specific data
Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).
The tag is: misp-galaxy:bhadra-framework="User-specific data"
Network-specific identifiers
Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks
The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"
Network-specific data
Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents
The tag is: misp-galaxy:bhadra-framework="Network-specific data"
Location tracking
Attacker is able to track the location of the target end-user.
The tag is: misp-galaxy:bhadra-framework="Location tracking"
Calls eavesdropping
Attacker is able to eavesdrop on calls.
The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"
SMS interception
Attacker is able to intercept SMS messages.
The tag is: misp-galaxy:bhadra-framework="SMS interception"
Data interception
Attacker is able to intercept or modify internet traffic.
The tag is: misp-galaxy:bhadra-framework="Data interception"
Billing frauds
Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.
The tag is: misp-galaxy:bhadra-framework="Billing frauds"
DoS - network
The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.
The tag is: misp-galaxy:bhadra-framework="DoS - network"
DoS - user
The attacker can cause denial of service to mobile users.
The tag is: misp-galaxy:bhadra-framework="DoS - user"
Identity-related attacks
Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.
The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"
Botnet
botnet galaxy.
| Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
ADB.miner
A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.
The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.
Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.
The tag is: misp-galaxy:botnet="ADB.miner"
Links |
https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/ |
Bagle
Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.
The tag is: misp-galaxy:botnet="Bagle"
Bagle is also known as:
-
Beagle
-
Mitglieder
-
Lodeight
Bagle has relationships with:
-
similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"
Links |
Marina Botnet
Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.
The tag is: misp-galaxy:botnet="Marina Botnet"
Marina Botnet is also known as:
-
Damon Briant
-
BOB.dc
-
Cotmonger
-
Hacktool.Spammer
-
Kraken
Marina Botnet has relationships with:
-
similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"
Links |
Torpig
Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.
The tag is: misp-galaxy:botnet="Torpig"
Torpig is also known as:
-
Sinowal
-
Anserin
Torpig has relationships with:
-
similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"
Links |
Storm
The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.
The tag is: misp-galaxy:botnet="Storm"
Storm is also known as:
-
Nuwar
-
Peacomm
-
Zhelatin
-
Dorf
-
Ecard
Links |
Rustock
The tag is: misp-galaxy:botnet="Rustock"
Rustock is also known as:
-
RKRustok
-
Costrat
Rustock has relationships with:
-
similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"
Links |
Donbot
The tag is: misp-galaxy:botnet="Donbot"
Donbot is also known as:
-
Buzus
-
Bachsoy
Donbot has relationships with:
-
similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"
Links |
Cutwail
The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo
The tag is: misp-galaxy:botnet="Cutwail"
Cutwail is also known as:
-
Pandex
-
Mutant
Cutwail has relationships with:
-
similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"
Links |
Akbot
Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.
The tag is: misp-galaxy:botnet="Akbot"
Akbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
Links |
Srizbi
Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.
The tag is: misp-galaxy:botnet="Srizbi"
Srizbi is also known as:
-
Cbeplay
-
Exchanger
Links |
Lethic
The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.
The tag is: misp-galaxy:botnet="Lethic"
Lethic has relationships with:
-
similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"
Links |
Xarvester
The tag is: misp-galaxy:botnet="Xarvester"
Xarvester is also known as:
-
Rlsloup
-
Pixoliz
Links |
Sality
Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.
The tag is: misp-galaxy:botnet="Sality"
Sality is also known as:
-
Sector
-
Kuku
-
Sality
-
SalLoad
-
Kookoo
-
SaliCode
-
Kukacka
Sality has relationships with:
-
similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"
Links |
Mariposa
The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.
The tag is: misp-galaxy:botnet="Mariposa"
Links |
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.
The tag is: misp-galaxy:botnet="Conficker"
Conficker is also known as:
-
DownUp
-
DownAndUp
-
DownAdUp
-
Kido
Conficker has relationships with:
-
similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"
Links |
Waledac
Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.
The tag is: misp-galaxy:botnet="Waledac"
Waledac is also known as:
-
Waled
-
Waledpak
Links |
Maazben
A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.
The tag is: misp-galaxy:botnet="Maazben"
Links |
https://www.symantec.com/connect/blogs/evaluating-botnet-capacity |
Gheg
Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).
The tag is: misp-galaxy:botnet="Gheg"
Gheg is also known as:
-
Tofsee
-
Mondera
Gheg has relationships with:
-
similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"
Links |
Nucrypt
The tag is: misp-galaxy:botnet="Nucrypt"
Links |
https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en |
Asprox
The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.
The tag is: misp-galaxy:botnet="Asprox"
Asprox is also known as:
-
Badsrc
-
Aseljo
-
Danmec
-
Hydraflux
Asprox has relationships with:
-
similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"
Links |
Spamthru
Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.
The tag is: misp-galaxy:botnet="Spamthru"
Spamthru is also known as:
-
Spam-DComServ
-
Covesmer
-
Xmiler
Links |
http://www.root777.com/security/analysis-of-spam-thru-botnet/ |
Gumblar
Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.
The tag is: misp-galaxy:botnet="Gumblar"
Links |
BredoLab
The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.
The tag is: misp-galaxy:botnet="BredoLab"
BredoLab is also known as:
-
Oficla
BredoLab has relationships with:
-
similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"
Links |
Grum
The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.
The tag is: misp-galaxy:botnet="Grum"
Grum is also known as:
-
Tedroo
-
Reddyb
Links |
Mega-D
The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.
The tag is: misp-galaxy:botnet="Mega-D"
Mega-D is also known as:
-
Ozdok
Links |
Kraken
The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.
The tag is: misp-galaxy:botnet="Kraken"
Kraken is also known as:
-
Kracken
Kraken has relationships with:
-
similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"
Links |
Festi
The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.
The tag is: misp-galaxy:botnet="Festi"
Festi is also known as:
-
Spamnost
Links |
Vulcanbot
Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.
The tag is: misp-galaxy:botnet="Vulcanbot"
Links |
LowSec
The tag is: misp-galaxy:botnet="LowSec"
LowSec is also known as:
-
LowSecurity
-
FreeMoney
-
Ring0.Tools
TDL4
Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).
The tag is: misp-galaxy:botnet="TDL4"
TDL4 is also known as:
-
TDSS
-
Alureon
TDL4 has relationships with:
-
similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"
Links |
Zeus
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.
The tag is: misp-galaxy:botnet="Zeus"
Zeus is also known as:
-
Zbot
-
ZeuS
-
PRG
-
Wsnpoem
-
Gorhax
-
Kneber
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
Kelihos
The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.
The tag is: misp-galaxy:botnet="Kelihos"
Kelihos is also known as:
-
Hlux
Kelihos has relationships with:
-
similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"
Links |
Ramnit
Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.
The tag is: misp-galaxy:botnet="Ramnit"
Ramnit has relationships with:
-
similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
Zer0n3t
The tag is: misp-galaxy:botnet="Zer0n3t"
Zer0n3t is also known as:
-
Fib3rl0g1c
-
Zer0n3t
-
Zer0Log1x
Chameleon
The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).
The tag is: misp-galaxy:botnet="Chameleon"
Links |
Mirai
Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.
The tag is: misp-galaxy:botnet="Mirai"
Mirai has relationships with:
-
similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
XorDDoS
XOR DDOS is a Linux trojan used to perform large-scale DDoS
The tag is: misp-galaxy:botnet="XorDDoS"
Links |
Satori
According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.
The tag is: misp-galaxy:botnet="Satori"
Satori is also known as:
-
Okiru
Satori has relationships with:
-
similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant |
BetaBot
The tag is: misp-galaxy:botnet="BetaBot"
BetaBot has relationships with:
-
similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"
Hajime
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).
The tag is: misp-galaxy:botnet="Hajime"
Hajime has relationships with:
-
similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ |
Muhstik
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.
The tag is: misp-galaxy:botnet="Muhstik"
Links |
Hide and Seek
Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.
The tag is: misp-galaxy:botnet="Hide and Seek"
Hide and Seek is also known as:
-
HNS
-
Hide 'N Seek
Hide and Seek has relationships with:
-
similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/ |
Mettle
Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
The tag is: misp-galaxy:botnet="Mettle"
Links |
https://thehackernews.com/2018/05/botnet-malware-hacking.html |
Owari
IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED
The tag is: misp-galaxy:botnet="Owari"
Owari has relationships with:
-
similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html |
Brain Food
Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.
The tag is: misp-galaxy:botnet="Brain Food"
Links |
Pontoeb
The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding
The tag is: misp-galaxy:botnet="Pontoeb"
Pontoeb is also known as:
-
N0ise
Links |
http://dataprotectioncenter.com/general/are-you-beta-testing-malware/ |
Trik Spam Botnet
The tag is: misp-galaxy:botnet="Trik Spam Botnet"
Trik Spam Botnet is also known as:
-
Trik Trojan
Links |
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/ |
Madmax
The tag is: misp-galaxy:botnet="Madmax"
Madmax is also known as:
-
Mad Max
Madmax has relationships with:
-
similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"
Links |
Pushdo
The tag is: misp-galaxy:botnet="Pushdo"
Pushdo has relationships with:
-
similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"
Links |
https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/ |
Simda
The tag is: misp-galaxy:botnet="Simda"
Simda has relationships with:
-
similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"
Links |
Virut
The tag is: misp-galaxy:botnet="Virut"
Virut has relationships with:
-
similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"
Links |
Bamital
The tag is: misp-galaxy:botnet="Bamital"
Bamital is also known as:
-
Mdrop-CSK
-
Agent-OCF
Gafgyt
Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
The tag is: misp-galaxy:botnet="Gafgyt"
Gafgyt is also known as:
-
Bashlite
Gafgyt has relationships with:
-
similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2014-100222-5658-99 |
Sora
Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.
The tag is: misp-galaxy:botnet="Sora"
Sora is also known as:
-
Mirai Sora
Sora has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
Links |
Torii
we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.
The tag is: misp-galaxy:botnet="Torii"
Torii has relationships with:
-
similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"
Links |
Persirai
A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.
The tag is: misp-galaxy:botnet="Persirai"
Persirai has relationships with:
-
similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"
Links |
Chalubo
Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.
The tag is: misp-galaxy:botnet="Chalubo"
Links |
AESDDoS
Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.
The tag is: misp-galaxy:botnet="AESDDoS"
Links |
Arceus
A set of DDoS botnet.
The tag is: misp-galaxy:botnet="Arceus"
Arceus is also known as:
-
Katura
-
MyraV
-
myra
Mozi
Mozi infects new devices through weak telnet passwords and exploitation.
The tag is: misp-galaxy:botnet="Mozi"
Links |
https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/ |
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/ |
UPAS-Kit
UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.
The tag is: misp-galaxy:botnet="UPAS-Kit"
UPAS-Kit is also known as:
-
Rombrast
Phorpiex
Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.
The tag is: misp-galaxy:botnet="Phorpiex"
Phorpiex is also known as:
-
Trik
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex |
DDG
First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).
The tag is: misp-galaxy:botnet="DDG"
DDG has relationships with:
-
similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"
Glupteba
A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).
The tag is: misp-galaxy:botnet="Glupteba"
Links |
https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ |
Elknot
DDoS Botnet
The tag is: misp-galaxy:botnet="Elknot"
Elknot is also known as:
-
Linux/BillGates
-
BillGates
Links |
https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched |
Cyclops Blink
Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.
The tag is: misp-galaxy:botnet="Cyclops Blink"
Links |
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html |
EnemyBot
In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.
The tag is: misp-galaxy:botnet="EnemyBot"
EnemyBot has relationships with:
-
similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"
Qbot
Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.
The tag is: misp-galaxy:botnet="Qbot"
Qbot is also known as:
-
QakBot
-
Pinkslipbot
Qbot has relationships with:
-
dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"
Dark.IoT
This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.
The tag is: misp-galaxy:botnet="Dark.IoT"
Dark.IoT has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
Links |
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/ |
KmsdBot
Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.
The tag is: misp-galaxy:botnet="KmsdBot"
Links |
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware |
Branded Vulnerability
List of known vulnerabilities and attacks with a branding.
| Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown
Meltdown
Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.
The tag is: misp-galaxy:branded-vulnerability="Meltdown"
Spectre
Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.
The tag is: misp-galaxy:branded-vulnerability="Spectre"
Heartbleed
Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.
The tag is: misp-galaxy:branded-vulnerability="Heartbleed"
Shellshock
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The tag is: misp-galaxy:branded-vulnerability="Shellshock"
Ghost
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.
The tag is: misp-galaxy:branded-vulnerability="Ghost"
Stagefright
Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.
The tag is: misp-galaxy:branded-vulnerability="Stagefright"
Badlock
Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.
The tag is: misp-galaxy:branded-vulnerability="Badlock"
Dirty COW
Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.
The tag is: misp-galaxy:branded-vulnerability="Dirty COW"
POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
The tag is: misp-galaxy:branded-vulnerability="POODLE"
BadUSB
The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.
The tag is: misp-galaxy:branded-vulnerability="BadUSB"
ImageTragick
The tag is: misp-galaxy:branded-vulnerability="ImageTragick"
Blacknurse
Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.
The tag is: misp-galaxy:branded-vulnerability="Blacknurse"
SPOILER
SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.
The tag is: misp-galaxy:branded-vulnerability="SPOILER"
Links |
https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert_-intel_cpus_impacted_by_new_vulnerability/1[https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert-_intel_cpus_impacted_by_new_vulnerability/1] |
https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/ |
BlueKeep
A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware
The tag is: misp-galaxy:branded-vulnerability="BlueKeep"
Links |
https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/ |
Cert EU GovSector
Cert EU GovSector.
| Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
Constituency
The tag is: misp-galaxy:cert-eu-govsector="Constituency"
EU-Centric
The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"
EU-nearby
The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"
World-class
The tag is: misp-galaxy:cert-eu-govsector="World-class"
Unknown
The tag is: misp-galaxy:cert-eu-govsector="Unknown"
Outside World
The tag is: misp-galaxy:cert-eu-govsector="Outside World"
China Defence Universities Tracker
The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..
| China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Australian Strategic Policy Institute
Academy of Military Science (中国人民解放军军事科学院)
AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.
The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"
Links |
https://unitracker.aspi.org.au/universities/academy-of-military-science |
Aero Engine Corporation of China (中国航空发动机集团有限公司)
AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.
The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china |
Air Force Command College (中国人民解放军空军指挥学院)
The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.
The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-command-college |
Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)
The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.
The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"
Links |
https://unitracker.aspi.org.au/universities/air-force-communications-officers-college |
Air Force Early Warning Academy (中国人民解放军空军预警学院)
The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.
The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-early-warning-academy |
Air Force Engineering University (中国人民解放军空军工程大学)
The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:
The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/air-force-engineering-university |
Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)
Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)
The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang |
Air Force Harbin Flight Academy (空军哈尔滨飞行学院)
The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.
The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy |
Air Force Logistics University (中国人民解放军空军后勤学院)
The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.
The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-logistics-university |
Air Force Medical University (中国人民解放军空军军医大学)
The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.
The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"
Links |
https://unitracker.aspi.org.au/universities/fourth-military-medical-university |
Air Force Research Institute (中国人民解放军空军研究院)
The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.
The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-research-institute |
Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)
Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.
The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy |
Anhui University (安徽大学)
Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.
The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"
Links |
https://unitracker.aspi.org.au/universities/anhui-university |
Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)
The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces |
Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)
The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense |
Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)
With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense |
Army Aviation College (中国人民解放军陆军航空兵学院)
The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.
The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-aviation-college |
Army Engineering University (中国人民解放军陆军工程大学)
The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:
The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/army-engineering-university |
Army Infantry Academy (中国人民解放军陆军步兵学院)
The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.
The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-infantry-academy |
Army Medical University (中国人民解放军陆军军医大学)
The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.
The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"
Links |
https://unitracker.aspi.org.au/universities/army-medical-university |
Army Military Transportation Academy (中国人民解放军陆军军事交通学院)
The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.
The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"
Links |
https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2 |
Army Research Institute (中国人民解放军陆军研究院)
The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.
The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"
Links |
https://unitracker.aspi.org.au/universities/army-research-institute |
Army Service Academy (中国人民解放军陆军勤务学院)
The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.
The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"
Links |
https://unitracker.aspi.org.au/universities/army-service-academy |
Army Special Operations Academy (中国人民解放军陆军特种作战学院)
The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.
The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"
Links |
https://unitracker.aspi.org.au/universities/army-special-operations-academy |
Aviation Industry Corporation of China (中国航空工业集团有限公司)
AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.
The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china |
Aviation University of Air Force (中国人民解放军空军航空大学)
AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.
The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"
Links |
https://unitracker.aspi.org.au/universities/aviation-university-of-air-force |
Beihang University (北京航空航天大学)
Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.
The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"
Links |
https://unitracker.aspi.org.au/universities/beihang-university |
Beijing Electronic Science and Technology Institute (北京电子科技学院)
BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.
The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"
Links |
https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute |
Beijing Institute of Technology (北京理工大学)
BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.
The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-institute-of-technology |
Beijing University of Chemical Technology (北京化工大学)
BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.
The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology |
Beijing University of Posts and Telecommunications (北京邮电大学)
BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.
The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications |
Central South University (中南大学)
Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.
The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"
Links |
https://unitracker.aspi.org.au/universities/central-south-university |
Changchun University of Science and Technology (长春理工大学)
CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.
The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"
Links |
https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology |
China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)
CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).
The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"
Links |
https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center |
China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)
CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.
The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation |
China Aerospace Science and Technology Corporation (中国航天科技集团)
CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:
The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"
Links |
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation |
China Coast Guard Academy (中国人民武装警察部队海警学院)
The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.
The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"
Links |
https://unitracker.aspi.org.au/universities/china-coast-guard-academy |
China Electronics Corporation (中国电子信息产业集团有限公司)
CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.
The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-electronics-corporation |
China Electronics Technology Group Corporation (中国电子科技集团公司)
CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.
The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"
Links |
https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation |
China National Nuclear Corporation (中国核工业集团有限公司)
CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.
The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation |
China North Industries Group (中国兵器工业集团公司)
Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).
The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"
Links |
https://unitracker.aspi.org.au/universities/china-north-industries-group |
China People’s Police University (中国人民警察大学)
The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:
The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"
Links |
https://unitracker.aspi.org.au/universities/china-peoples-police-university |
China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)
CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.
The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation |
China South Industries Group (中国兵器装备集团有限公司)
CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.
The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-south-industries-group |
China State Shipbuilding Corporation (中国船舶工业集团有限公司)
CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’
The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation |
China University of Geosciences (Wuhan) (中国地质大学)
CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.
The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"
Links |
https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan |
China University of Mining and Technology (中国矿业大学)
CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).
The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"
Links |
https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology |
Chinese Academy of Engineering Physics (中国工程物理研究院)
CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.
The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"
Links |
https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics |
Chongqing University (重庆大学)
CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.
The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university |
Chongqing University of Posts and Telecommunications (重庆邮电大学)
CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications |
Chongqing University of Technology (重庆理工大学)
CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.
The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university-of-technology |
Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)
COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.
The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"
Links |
https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china |
Criminal Investigation Police University of China (中国刑事警察学院)
CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.
The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"
Links |
https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china |
Dalian Minzu University (大连民族大学)
DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.
The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"
Links |
https://unitracker.aspi.org.au/universities/dalian-minzu-university |
Dalian Naval Academy (中国人民解放军海军大连舰艇学院)
The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:
The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"
Links |
https://unitracker.aspi.org.au/universities/dalian-naval-academy |
Dalian University of Technology (大连理工大学)
DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.
The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"
Links |
https://unitracker.aspi.org.au/universities/dalian-university-of-technology |
Donghua University (东华大学)
DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.
The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"
Links |
https://unitracker.aspi.org.au/universities/donghua-university |
East China University of Technology (东华理工大学)
ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.
The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"
Links |
https://unitracker.aspi.org.au/universities/east-china-university-of-technology |
Engineering University of the CAPF (中国人民武装警察部队工程大学)
The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:
The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"
Links |
https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf |
Fudan University (复旦大学)
Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院), in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.
The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"
Links |
https://unitracker.aspi.org.au/universities/fudan-university |
Fuzhou University (福州大学)
Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.
The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"
Links |
https://unitracker.aspi.org.au/universities/fuzhou-university |
Guilin University of Electronic Science and Technology (桂林电子科技大学)
GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology |
Hangzhou Dianzi University (杭州电子科技大学)
HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.
The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university |
Hangzhou Normal University (杭州师范大学)
Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.
The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"
Links |
https://unitracker.aspi.org.au/universities/hangzhou-normal-university |
Harbin Engineering University (哈尔滨工程大学)
HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.
The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"
Links |
https://unitracker.aspi.org.au/universities/harbin-engineering-university |
Harbin Institute of Technology (哈尔滨工业大学)
HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in info