add botnet galaxy and other stuffs

README.md

@@ -18,6 +18,7 @@ to localized information (which is not shared) or additional information (that c
 
 - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
 - [clusters/banker.json](clusters/banker.json) - A list of banker malware.
+- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
 - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
 - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
 - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.

clusters/botnet.json

@@ -0,0 +1,22 @@
+{
+  "values": [
+    {
+      "value": "ADB.miner",
+      "description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/"
+        ]
+      }
+    }
+  ],
+  "name": "Botnet",
+  "type": "botnet",
+  "source": "MISP Project",
+  "authors": [
+    "Various"
+  ],
+  "description": "botnet galaxy",
+  "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
+  "version": 1
+}

clusters/ransomware.json

@@ -8722,6 +8722,31 @@
           "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!"
         ]
       }
+    },
+    {
+      "value": "ShurL0ckr",
+      "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.",
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications"
+        ],
+        "date": "Febuary 2018"
+      }
+    },
+    {
+      "value": "Cryakl",
+      "description": "ransomware",
+      "meta": {
+        "refs": [
+          "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/",
+          "https://www.technologynews.tech/cryakl-ransomware-virus",
+          "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/"
+        ],
+        "date": "January 2018",
+        "extensions": [
+          ".fairytail"
+        ]
+      }
     }
   ],
   "source": "Various",

clusters/threat-actor.json

@@ -412,12 +412,15 @@
           "ZipToken",
           "HIPPOTeam",
           "APT27",
-          "Operation Iron Tiger"
+          "Operation Iron Tiger",
+          "Iron Tiger APT"
         ],
         "country": "CN",
         "refs": [
           "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
-          "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
+          "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
+          "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
+          "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/"
         ]
       },
       "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",

galaxies/botnet.json

@@ -0,0 +1,8 @@
+{
+  "description": "Botnet galaxy.",
+  "type": "botnet",
+  "version": 1,
+  "name": "Botnet",
+  "icon": "sitemap",
+  "uuid": "90ccdf38-1649-11e8-b8bf-e7326d553087"
+}