From b010a754267df68570875658bf5b41944f082b24 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH 1/5] [threat-actors] Add SPIKEDWINE --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bb14d1b..1274e6e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15269,6 +15269,16 @@ }, "uuid": "74268518-8dd9-4223-9f7f-54421463cdb3", "value": "GoldFactory" + }, + { + "description": "SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" + ] + }, + "uuid": "d3cda6b1-a5da-4afc-bee4-80ea2cf05e5e", + "value": "SPIKEDWINE" } ], "version": 302 From 7b3c8a87c30d53c5c383f46326af056a0b68407e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH 2/5] [threat-actors] Add UAC-0184 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1274e6e..2ce319c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15279,6 +15279,17 @@ }, "uuid": "d3cda6b1-a5da-4afc-bee4-80ea2cf05e5e", "value": "SPIKEDWINE" + }, + { + "description": "UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.", + "meta": { + "refs": [ + "https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga", + "https://cert.gov.ua/article/6276988" + ] + }, + "uuid": "0e3224a0-3544-47d7-b1ce-fb3eb21286ad", + "value": "UAC-0184" } ], "version": 302 From cc68b22fe2b160d48b86e4ed5c9f4ff11da61954 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH 3/5] [threat-actors] Add UNC1549 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2ce319c..af032c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15290,6 +15290,17 @@ }, "uuid": "0e3224a0-3544-47d7-b1ce-fb3eb21286ad", "value": "UAC-0184" + }, + { + "description": "UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.", + "meta": { + "country": "IR", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" + ] + }, + "uuid": "a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756", + "value": "UNC1549" } ], "version": 302 From 39f89c900c361572cd434132e37bd248aff0056f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH 4/5] [threat-actors] Add Mogilevich --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index af032c6..d6c47e0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15301,6 +15301,17 @@ }, "uuid": "a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756", "value": "UNC1549" + }, + { + "description": "Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich's tactics and website design suggest they may not be a sophisticated threat actor.", + "meta": { + "refs": [ + "https://therecord.media/ireland-dfa-no-evidence-of-cybersecurity-breach", + "https://www.bleepingcomputer.com/news/security/epic-games-zero-evidence-we-were-hacked-by-mogilevich-gang/" + ] + }, + "uuid": "95634994-9604-4fe6-9462-f472c2d82271", + "value": "Mogilevich" } ], "version": 302 From c11834aec420254d9dc1fcca8574a91631c9e1c7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH 5/5] [threat-actors] Add R00tK1T --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d6c47e0..49dcfab 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15312,6 +15312,18 @@ }, "uuid": "95634994-9604-4fe6-9462-f472c2d82271", "value": "Mogilevich" + }, + { + "description": "R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data. ", + "meta": { + "country": "IL", + "refs": [ + "https://logrhythm.com/blog/how-government-agencies-can-defend-against-exfiltration-tactics/", + "https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/" + ] + }, + "uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed", + "value": "R00tK1T" } ], "version": 302