From 15297c7b5f24108e682796dc0478d8118274a833 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Mon, 24 Apr 2023 16:57:52 -0600
Subject: [PATCH 1/5] chg [threat-actors] Add RedGolf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/threat-actor.json | 65 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 63 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 6e8c39e..e1fbdfc 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7901,7 +7901,8 @@
           "G0044",
           "Earth Baku",
           "Amoeba",
-          "HOODOO"
+          "HOODOO",
+          "Brass Typhoon"
         ]
       },
       "related": [
@@ -11259,7 +11260,67 @@
       },
       "uuid": "8ca38564-5515-45f5-9f3b-a4091546e10b",
       "value": "Anonymous Sudan"
+    },
+    {
+      "description": "Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.",
+      "meta": {
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-target-category": [
+          "Aviation",
+          "Automotive",
+          "Education",
+          "Intergovernmental",
+          "Media and Entertainment",
+          "Information Technology",
+          "Religious Organizations"
+        ],
+        "country": "CN",
+        "motive": "state-sponsored espionage and financially motivated",
+        "references": [
+          "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf",
+          "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "overlaps"
+        },
+        {
+          "dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "eff0c059-5449-4207-9860-715475139595",
+      "value": "RedGolf"
     }
   ],
-  "version": 271
+  "version": 272
 }

From 095c44e2ac1120dccd1257084a6d401b374eafdc Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 26 Apr 2023 07:48:29 +0200
Subject: [PATCH 2/5] chg: [attck4fraud] add ATM cash trapping in the matrix

---
 clusters/attck4fraud.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json
index 5b13025..73d0209 100644
--- a/clusters/attck4fraud.json
+++ b/clusters/attck4fraud.json
@@ -84,6 +84,19 @@
       "uuid": "0e45e11c-9c24-49a2-b1fe-5d78a235844b",
       "value": "ATM skimming"
     },
+    {
+      "description": "Trap the cash dispenser with a physical component. Type 1 are visible to the user and type 2 are hidden in the cash dispenser",
+      "meta": {
+        "kill_chain": [
+          "fraud-tactics:Initiation"
+        ],
+        "refs": [
+          "https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf"
+        ]
+      },
+      "uuid": "1e709b6e-ff4a-4645-adec-42f9636d38f8",
+      "value": "ATM cash trapping"
+    },
     {
       "description": "ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.",
       "meta": {
@@ -380,5 +393,5 @@
       "value": "ATM Explosive Attack"
     }
   ],
-  "version": 3
+  "version": 4
 }

From 142d4aeaefd079f7422e13b0a7a83b8c4ddb66eb Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 26 Apr 2023 14:26:48 +0200
Subject: [PATCH 3/5] Update threat-actor.json

---
 clusters/threat-actor.json | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e1fbdfc..47a3694 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10111,13 +10111,17 @@
           "Hong Kong",
           "Malaysia",
           "India",
-          "Taiwan"
+          "Taiwan",
+          "Macao",
+          "Nigeria",
+          " Daggerfly"
         ],
         "country": "CN",
         "refs": [
           "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware",
           "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
-          "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s"
+          "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s",
+          "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/"
         ],
         "synonyms": [
           "Evasive Panda"

From d60cca9302051b34381f22ac3fdef2a101bb6724 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 26 Apr 2023 21:46:33 +0200
Subject: [PATCH 4/5] Update threat-actor.json

fix mistake
---
 clusters/threat-actor.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 47a3694..e478bfa 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10113,8 +10113,7 @@
           "India",
           "Taiwan",
           "Macao",
-          "Nigeria",
-          " Daggerfly"
+          "Nigeria" 
         ],
         "country": "CN",
         "refs": [
@@ -10124,7 +10123,8 @@
           "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/"
         ],
         "synonyms": [
-          "Evasive Panda"
+          "Evasive Panda",
+          " Daggerfly"
         ]
       },
       "uuid": "62710572-e416-419d-bb1f-81ffc1ddc976",

From ddc285581d9808d0463c10daec16f2140e4d2120 Mon Sep 17 00:00:00 2001
From: Sebastien Larinier <sebdraven@protonmail.com>
Date: Wed, 26 Apr 2023 21:52:57 +0200
Subject: [PATCH 5/5] Update threat-actor.json

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e478bfa..dd59e6d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10113,7 +10113,7 @@
           "India",
           "Taiwan",
           "Macao",
-          "Nigeria" 
+          "Nigeria"
         ],
         "country": "CN",
         "refs": [