From f066061f4b208d9d5cbea159b68a9b934f6d9d66 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 1/7] [threat-actors] Add Blacktail --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0ca3a2f..7a52ac8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13513,6 +13513,19 @@ }, "uuid": "55bcc595-2442-4f98-9477-7fe9b507607c", "value": "SilverFish" + }, + { + "description": "Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware", + "https://fortiguard.fortinet.com/threat-signal-report/5170", + "https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/", + "https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/" + ] + }, + "uuid": "e06e1bcd-7da2-4732-934a-9fa1efa427ad", + "value": "Blacktail" } ], "version": 295 From 9c0f18e9b9475ae76bd3fa3690f563169c2272f2 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 2/7] [threat-actors] Add MalKamak --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7a52ac8..0fb8af9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13526,6 +13526,17 @@ }, "uuid": "e06e1bcd-7da2-4732-934a-9fa1efa427ad", "value": "Blacktail" + }, + { + "description": "MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.", + "meta": { + "country": "IR", + "refs": [ + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms" + ] + }, + "uuid": "4915bfa3-5f0a-48ec-8ed5-bcd878cba504", + "value": "MalKamak" } ], "version": 295 From 313dd82bb95787608e219c63f0490c59eecedc6c Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 3/7] [threat-actors] Add DragonForce --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0fb8af9..bf16ce6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13537,6 +13537,22 @@ }, "uuid": "4915bfa3-5f0a-48ec-8ed5-bcd878cba504", "value": "MalKamak" + }, + { + "description": "DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India. They have also targeted websites affiliated with Israel and have shown support for pro-Palestinian causes. The group has been observed using defacement attacks, distributed denial-of-service attacks, and data leaks as part of their campaigns. DragonForce Malaysia has demonstrated an ability to adapt and evolve their tactics over time.", + "meta": { + "country": "MY", + "refs": [ + "https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/", + "https://blog.radware.com/security/2023/05/india-one-of-the-most-targeted-countries-for-hacktivist-groups/", + "https://securitybrief.asia/story/dragonforce-malaysia-attacks-israeli-institutions-radware", + "https://www.radware.com/security/threat-advisories-and-attack-reports/opisrael-a-decade-in-review/", + "https://blog.radware.com/security/ddos/2022/08/this-was-h1-2022-part-3-beyond-the-war/", + "https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce" + ] + }, + "uuid": "40375ed2-04ec-433f-969d-b9a004c0272e", + "value": "DragonForce" } ], "version": 295 From d4c2788b877a7f6c07305e360c37a4af920ebd14 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 4/7] [threat-actors] Add LightBasin --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf16ce6..ee93d17 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13553,6 +13553,22 @@ }, "uuid": "40375ed2-04ec-433f-969d-b9a004c0272e", "value": "DragonForce" + }, + { + "description": "UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/unc2891-overview", + "https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/", + "https://blog.talosintelligence.com/introducing-shrouded-snooper/" + ], + "synonyms": [ + "UNC1945", + "CL-CRI-0025" + ] + }, + "uuid": "a1955738-563c-413c-8602-ea5b8c89ce21", + "value": "LightBasin" } ], "version": 295 From 830ded98d3aa0f4aadd3422b5078d4e42df3607d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 5/7] [threat-actors] Add Red-Lili --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ee93d17..be56889 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13569,6 +13569,16 @@ }, "uuid": "a1955738-563c-413c-8602-ea5b8c89ce21", "value": "LightBasin" + }, + { + "description": "RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.", + "meta": { + "refs": [ + "https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages/" + ] + }, + "uuid": "99d188cf-31e5-440d-a114-297cb2242d73", + "value": "Red-Lili" } ], "version": 295 From 9c02509a282607feada4f7986d5c8e3819f6a7de Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 6/7] [threat-actors] Add WildCard --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index be56889..ee8df94 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13579,6 +13579,16 @@ }, "uuid": "99d188cf-31e5-440d-a114-297cb2242d73", "value": "Red-Lili" + }, + { + "description": "Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.", + "meta": { + "refs": [ + "https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/" + ] + }, + "uuid": "dc8a7137-f56e-41db-a500-920e69fa29f5", + "value": "WildCard" } ], "version": 295 From 31562e470112a97c5eb2523af5db1502f6f700c8 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Nov 2023 11:28:37 -0800 Subject: [PATCH 7/7] [threat-actors] Add WildPressure --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ee8df94..49b4085 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13589,6 +13589,19 @@ }, "uuid": "dc8a7137-f56e-41db-a500-920e69fa29f5", "value": "WildCard" + }, + { + "description": "WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.", + "meta": { + "refs": [ + "https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/", + "https://securelist.com/wildpressure-targets-macos/103072/", + "https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/", + "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/" + ] + }, + "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f", + "value": "WildPressure" } ], "version": 295