MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #720 from Th4nat0s/thales_atk 

Add Mitre vs Thales RosettaStone
pull/723/head
Alexandre Dulaunoy 2022-06-11 08:17:15 +02:00 committed by GitHub
parent 18fd2c0e34 57befd7259
commit 10d53418de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 137 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
clusters/threat-actor.json
View File

@ -67,7 +67,8 @@
"Brown Fox", "Brown Fox",
"GIF89a", "GIF89a",
"ShadyRAT", "ShadyRAT",
"Shanghai Group" "Shanghai Group",
"G0006"
] ]
}, },
"related": [ "related": [
@ -149,6 +150,9 @@
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
"https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
"https://attack.mitre.org/groups/G0031/" "https://attack.mitre.org/groups/G0031/"
],
"synonyms": [
"G0031"
] ]
}, },
"related": [ "related": [
@ -279,7 +283,8 @@
"4HCrew", "4HCrew",
"SULPHUR", "SULPHUR",
"SearchFire", "SearchFire",
"TG-6952" "TG-6952",
"G0024"
] ]
}, },
"related": [ "related": [
@ -383,7 +388,9 @@
"APT-C-06", "APT-C-06",
"SIG25", "SIG25",
"TUNGSTEN BRIDGE", "TUNGSTEN BRIDGE",
"T-APT-02" "T-APT-02",
"G0012",
"ATK52"
] ]
}, },
"related": [ "related": [
@ -461,11 +468,13 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.cfr.org/interactive/cyber-operations/apt-16" "https://www.cfr.org/interactive/cyber-operations/apt-16",
"https://attack.mitre.org/groups/G0023"
], ],
"synonyms": [ "synonyms": [
"APT16", "APT16",
"SVCMONDR" "SVCMONDR",
"G0023"
] ]
}, },
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf",
@ -494,7 +503,8 @@
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.recordedfuture.com/hidden-lynx-analysis/",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone" "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
"https://attack.mitre.org/groups/G0025/"
], ],
"synonyms": [ "synonyms": [
"APT 17", "APT 17",
@ -504,7 +514,8 @@
"Hidden Lynx", "Hidden Lynx",
"Tailgater Team", "Tailgater Team",
"Dogfish", "Dogfish",
"BRONZE KEYSTONE" "BRONZE KEYSTONE",
"G0025"
] ]
}, },
"related": [ "related": [
@ -557,7 +568,8 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828", "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828",
"https://www.cfr.org/interactive/cyber-operations/apt-18" "https://www.cfr.org/interactive/cyber-operations/apt-18",
"https://attack.mitre.org/groups/G0026"
], ],
"synonyms": [ "synonyms": [
"Dynamite Panda", "Dynamite Panda",
@ -565,7 +577,8 @@
"APT 18", "APT 18",
"SCANDIUM", "SCANDIUM",
"PLA Navy", "PLA Navy",
"APT18" "APT18",
"G0026"
] ]
}, },
"related": [ "related": [
@ -648,7 +661,8 @@
"BARIUM", "BARIUM",
"BRONZE ATLAS", "BRONZE ATLAS",
"BRONZE EXPORT", "BRONZE EXPORT",
"Red Kelpie" "Red Kelpie",
"G0044"
] ]
}, },
"related": [ "related": [
@ -731,7 +745,8 @@
"Group 13", "Group 13",
"PinkPanther", "PinkPanther",
"Sh3llCr3w", "Sh3llCr3w",
"BRONZE FIRESTONE" "BRONZE FIRESTONE",
"G0009"
] ]
}, },
"related": [ "related": [
@ -807,7 +822,8 @@
"APT.Naikon", "APT.Naikon",
"Lotus Panda", "Lotus Panda",
"Hellsing", "Hellsing",
"BRONZE GENEVA" "BRONZE GENEVA",
"G0019"
] ]
}, },
"related": [ "related": [
@ -879,7 +895,9 @@
"ST Group", "ST Group",
"Esile", "Esile",
"DRAGONFISH", "DRAGONFISH",
"BRONZE ELGIN" "BRONZE ELGIN",
"ATK1",
"G0030"
] ]
}, },
"related": [ "related": [
@ -1037,7 +1055,8 @@
"ZipToken", "ZipToken",
"Iron Tiger", "Iron Tiger",
"BRONZE UNION", "BRONZE UNION",
"Lucky Mouse" "Lucky Mouse",
"G0027"
] ]
}, },
"related": [ "related": [
@ -1108,7 +1127,9 @@
"CVNX", "CVNX",
"HOGFISH", "HOGFISH",
"Cloud Hopper", "Cloud Hopper",
"BRONZE RIVERSIDE" "BRONZE RIVERSIDE",
"ATK41",
"G0045"
] ]
}, },
"related": [ "related": [
@ -1181,6 +1202,9 @@
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150", "https://kc.mcafee.com/corporate/index?page=content&id=KB71150",
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf",
"https://attack.mitre.org/groups/G0014/" "https://attack.mitre.org/groups/G0014/"
],
"synonyms": [
"G0014"
] ]
}, },
"related": [ "related": [
@ -1233,7 +1257,8 @@
"Lurid", "Lurid",
"Social Network Team", "Social Network Team",
"Royal APT", "Royal APT",
"BRONZE PALACE" "BRONZE PALACE",
"G0004"
] ]
}, },
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
@ -1401,7 +1426,8 @@
], ],
"synonyms": [ "synonyms": [
"PittyTiger", "PittyTiger",
"MANGANESE" "MANGANESE",
"G0011"
] ]
}, },
"related": [ "related": [
@ -1607,7 +1633,8 @@
"Admin338", "Admin338",
"Team338", "Team338",
"MAGNESIUM", "MAGNESIUM",
"admin@338" "admin@338",
"G0018"
] ]
}, },
"related": [ "related": [
@ -1645,7 +1672,8 @@
"KeyBoy", "KeyBoy",
"TropicTrooper", "TropicTrooper",
"Tropic Trooper", "Tropic Trooper",
"BRONZE HOBART" "BRONZE HOBART",
"G0081"
] ]
}, },
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
@ -1873,7 +1901,8 @@
"iKittens", "iKittens",
"Group 83", "Group 83",
"Newsbeef", "Newsbeef",
"NewsBeef" "NewsBeef",
"G0058"
] ]
}, },
"related": [ "related": [
@ -1962,6 +1991,7 @@
"https://www.brighttalk.com/webcast/10703/275683", "https://www.brighttalk.com/webcast/10703/275683",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
"https://attack.mitre.org/groups/G0064/",
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/" "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/"
], ],
"synonyms": [ "synonyms": [
@ -1970,7 +2000,9 @@
"MAGNALLIUM", "MAGNALLIUM",
"Refined Kitten", "Refined Kitten",
"HOLMIUM", "HOLMIUM",
"COBALT TRINITY" "COBALT TRINITY",
"G0064",
"ATK35"
] ]
}, },
"related": [ "related": [
@ -2181,7 +2213,9 @@
"APT35", "APT35",
"APT 35", "APT 35",
"TEMP.Beanie", "TEMP.Beanie",
"Ghambar" "Ghambar",
"G0059",
"G0003"
] ]
}, },
"related": [ "related": [
@ -2399,7 +2433,9 @@
"Group 74", "Group 74",
"SIG40", "SIG40",
"Grizzly Steppe", "Grizzly Steppe",
"apt_sofacy" "apt_sofacy",
"G0007",
"ATK5"
] ]
}, },
"related": [ "related": [
@ -2457,7 +2493,8 @@
"https://www.cfr.org/interactive/cyber-operations/dukes", "https://www.cfr.org/interactive/cyber-operations/dukes",
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
"https://www.secureworks.com/research/threat-profiles/iron-hemlock" "https://www.secureworks.com/research/threat-profiles/iron-hemlock",
"https://attack.mitre.org/groups/G0016"
], ],
"synonyms": [ "synonyms": [
"Dukes", "Dukes",
@ -2478,7 +2515,9 @@
"Hammer Toss", "Hammer Toss",
"YTTRIUM", "YTTRIUM",
"Iron Hemlock", "Iron Hemlock",
"Grizzly Steppe" "Grizzly Steppe",
"G0016",
"ATK7"
] ]
}, },
"related": [ "related": [
@ -2572,7 +2611,9 @@
"Popeye", "Popeye",
"SIG23", "SIG23",
"Iron Hunter", "Iron Hunter",
"MAKERSMARK" "MAKERSMARK",
"ATK13",
"G0010"
] ]
}, },
"related": [ "related": [
@ -2646,7 +2687,9 @@
"Havex", "Havex",
"CrouchingYeti", "CrouchingYeti",
"Koala Team", "Koala Team",
"IRON LIBERTY" "IRON LIBERTY",
"G0035",
"ATK6"
] ]
}, },
"related": [ "related": [
@ -2819,7 +2862,9 @@
"synonyms": [ "synonyms": [
"CARBON SPIDER", "CARBON SPIDER",
"GOLD NIAGARA", "GOLD NIAGARA",
"Calcium" "Calcium",
"ATK32",
"G0046"
] ]
}, },
"related": [ "related": [
@ -3081,7 +3126,9 @@
"https://www.hvs-consulting.de/lazarus-report/", "https://www.hvs-consulting.de/lazarus-report/",
"https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37", "https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37",
"https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html",
"https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html",
"https://attack.mitre.org/groups/G0082",
"https://attack.mitre.org/groups/G0032"
], ],
"synonyms": [ "synonyms": [
"Operation DarkSeoul", "Operation DarkSeoul",
@ -3108,7 +3155,11 @@
"Nickel Academy", "Nickel Academy",
"APT-C-26", "APT-C-26",
"NICKEL GLADSTONE", "NICKEL GLADSTONE",
"COVELLITE" "COVELLITE",
"ATK3",
"G0032",
"ATK117",
"G0082"
] ]
}, },
"related": [ "related": [
@ -3232,7 +3283,8 @@
], ],
"synonyms": [ "synonyms": [
"Animal Farm", "Animal Farm",
"Snowglobe" "Snowglobe",
"ATK8"
] ]
}, },
"uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab", "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab",
@ -3385,7 +3437,9 @@
"Sarit", "Sarit",
"Quilted Tiger", "Quilted Tiger",
"APT-C-09", "APT-C-09",
"ZINC EMERSON" "ZINC EMERSON",
"ATK11",
"G0040"
] ]
}, },
"related": [ "related": [
@ -3689,7 +3743,9 @@
"ITG08", "ITG08",
"MageCart Group 6", "MageCart Group 6",
"White Giant", "White Giant",
"GOLD FRANKLIN" "GOLD FRANKLIN",
"ATK88",
"G0037"
] ]
}, },
"related": [ "related": [
@ -3789,7 +3845,9 @@
"Helix Kitten", "Helix Kitten",
"APT 34", "APT 34",
"APT34", "APT34",
"IRN2" "IRN2",
"ATK40",
"G0049"
] ]
}, },
"related": [ "related": [
@ -4455,7 +4513,9 @@
"Ocean Buffalo", "Ocean Buffalo",
"POND LOACH", "POND LOACH",
"TIN WOODLAWN", "TIN WOODLAWN",
"BISMUTH" "BISMUTH",
"ATK17",
"G0050"
] ]
}, },
"related": [ "related": [
@ -4519,7 +4579,9 @@
"https://attack.mitre.org/groups/G0068/" "https://attack.mitre.org/groups/G0068/"
], ],
"synonyms": [ "synonyms": [
"TwoForOne" "TwoForOne",
"G0068",
"ATK33"
] ]
}, },
"related": [ "related": [
@ -4595,7 +4657,9 @@
"since": "2017", "since": "2017",
"synonyms": [ "synonyms": [
"LeafMiner", "LeafMiner",
"Raspite" "Raspite",
"ATK113",
"G0061"
], ],
"victimology": "Electric utility sector" "victimology": "Electric utility sector"
}, },
@ -5607,7 +5671,9 @@
"Static Kitten", "Static Kitten",
"Seedworm", "Seedworm",
"MERCURY", "MERCURY",
"COBALT ULSTER" "COBALT ULSTER",
"G0069",
"ATK51"
] ]
}, },
"related": [ "related": [
@ -5716,7 +5782,9 @@
"Red Eyes", "Red Eyes",
"Ricochet Chollima", "Ricochet Chollima",
"ScarCruft", "ScarCruft",
"Venus 121" "Venus 121",
"ATK4",
"G0067"
] ]
}, },
"related": [ "related": [
@ -5803,7 +5871,9 @@
"APT40", "APT40",
"BRONZE MOHAWK", "BRONZE MOHAWK",
"GADOLINIUM", "GADOLINIUM",
"Kryptonite Panda" "Kryptonite Panda",
"G0065",
"ATK29"
] ]
}, },
"related": [ "related": [
@ -6145,7 +6215,9 @@
], ],
"synonyms": [ "synonyms": [
"Gorgon Group", "Gorgon Group",
"Subaat" "Subaat",
"ATK92",
"G0078"
] ]
}, },
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", "uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
@ -6401,6 +6473,10 @@
"country": "PK", "country": "PK",
"refs": [ "refs": [
"https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo" "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
],
"synonyms": [
"ATK78",
"G0076"
] ]
}, },
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c", "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c",
@ -6524,6 +6600,10 @@
"country": "RU", "country": "RU",
"refs": [ "refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas" "https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
],
"synonyms": [
"ATK116",
"G0100"
] ]
}, },
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
@ -6826,7 +6906,9 @@
"GRACEFUL SPIDER", "GRACEFUL SPIDER",
"GOLD TAHOE", "GOLD TAHOE",
"Dudear", "Dudear",
"TEMP.Warlock" "TEMP.Warlock",
"G0092",
"ATK103"
] ]
}, },
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -7452,7 +7534,9 @@
"https://attack.mitre.org/groups/G0088/" "https://attack.mitre.org/groups/G0088/"
], ],
"synonyms": [ "synonyms": [
"Xenotime" "Xenotime",
"G0088",
"ATK91"
] ]
}, },
"uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2",
@ -8445,6 +8529,10 @@
"https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks",
"https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking",
"https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china" "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china"
],
"synonyms": [
"ATK233",
"G0125"
] ]
}, },
"uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
@ -8698,11 +8786,14 @@
"description": "GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.", "description": "GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.secureworks.com/research/threat-profiles/gold-cabin" "https://www.secureworks.com/research/threat-profiles/gold-cabin",
"https://attack.mitre.org/groups/G0127/"
], ],
"synonyms": [ "synonyms": [
"Shakthak", "Shakthak",
"TA551" "TA551",
"ATK236",
"G0127"
] ]
}, },
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
@ -9335,5 +9426,5 @@
"value": "RansomHouse" "value": "RansomHouse"
} }
], ],
"version": 227 "version": 228
} }