From 775d3c183b3f6dfa333a374396b8106464c48ab8 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 7 Sep 2022 09:26:38 +0200 Subject: [PATCH 1/3] Add Lockbit synonym --- clusters/ransomware.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 23a7c2f1..67a8ef01 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14340,7 +14340,7 @@ "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/", "https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware" - ] + ], "synonyms": ["ABCD ransomware"] }, "uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51", "value": "LockBit" @@ -24584,5 +24584,5 @@ "value": "Maui ransomware" } ], - "version": 106 + "version": 107 } From 77db2370b1b932a175133e5a4a171cd8644d60c0 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 7 Sep 2022 11:00:41 +0200 Subject: [PATCH 2/3] Add Lockbit synonym --- clusters/ransomware.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 67a8ef01..b8f79d58 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14331,6 +14331,10 @@ { "description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.", "meta": { + "extensions": [ + ".abcd", + ".LockBit" + ], "ransomnotes-filenames": [ "Restore-My-Files.txt" ], @@ -14340,7 +14344,10 @@ "refs": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/", "https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware" - ], "synonyms": ["ABCD ransomware"] + ], + "synonyms": [ + "ABCD ransomware" + ] }, "uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51", "value": "LockBit" From 0440db12e91ee38312fb055f32a555f753fba9a4 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 7 Sep 2022 11:01:23 +0200 Subject: [PATCH 3/3] add DangerousSavanna campaign --- clusters/threat-actor.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5a923126..9fd1ae49 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9714,7 +9714,27 @@ }, "uuid": "fa1fdccb-1a06-4607-bd45-1a7df4db02d7", "value": "Aoqin Dragon" + }, + { + "description": "Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo.\nDangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.", + "meta": { + "cfr-suspected-victims": [ + "Ivory Coast", + "Morocco", + "Cameroon", + "Senegal", + "Togo" + ], + "refs": [ + "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/" + ], + "threat-actor-classification": [ + "campaign" + ] + }, + "uuid": "1bb64526-cc51-475a-b6bc-af30df9f2fb6", + "value": "DangerousSavanna" } ], - "version": 245 + "version": 246 }