From 6ca498872a488593cd8d1e54b29e8d3ba88e38fe Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Apr 2024 07:48:44 -0700 Subject: [PATCH 1/3] [threat-actors] Add GhostR --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 76446f7..ff4a5e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15874,6 +15874,17 @@ ], "uuid": "97c6d972-a3af-4a21-94a2-0f5e09c7320e", "value": "UNC3236" + }, + { + "description": "Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.", + "meta": { + "refs": [ + "https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html", + "https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web" + ] + }, + "uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd", + "value": "GhostR" } ], "version": 307 From 337c21be5bbd443a7153db65f2e017b712f7f45f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Apr 2024 07:48:44 -0700 Subject: [PATCH 2/3] [threat-actors] Add UTA0218 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ff4a5e9..3f99ff7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15885,6 +15885,17 @@ }, "uuid": "0e4ed0ab-87e2-4588-8fc0-3d720e0efebd", "value": "GhostR" + }, + { + "description": "UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/cve20243400vulnerability-removal/", + "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" + ] + }, + "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509", + "value": "UTA0218" } ], "version": 307 From 2de3357ec050601df344f1b9180f998e83135cb7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Apr 2024 07:48:44 -0700 Subject: [PATCH 3/3] [threat-actors] Add UAC-0149 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3f99ff7..3e289e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15896,6 +15896,17 @@ }, "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509", "value": "UTA0218" + }, + { + "description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.", + "meta": { + "refs": [ + "https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/", + "https://cert.gov.ua/article/6277849" + ] + }, + "uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2", + "value": "UAC-0149" } ], "version": 307