chg: [threat-actor] add exotic lily, ta578, ta579

2022-05-14 20:52:15 +05:30 · 2022-05-14 20:52:15 +05:30 · 2721522e82
parent 9777f40b58
commit 2721522e82
1 changed files with 35 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -9285,7 +9285,41 @@
      },
      "uuid": "64930954-db40-4d97-8fc4-76079d239e15",
      "value": "Elephant Beetle"
+    },
+    {
+      "description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability",
+          "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti"
+        ],
+        "synonyms": [
+          "DEV-0413"
+        ]
+      },
+      "uuid": "3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d",
+      "value": "EXOTIC LILY"
+    },
+    {
+      "description": "TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
+        ]
+      },
+      "uuid": "d1a8626a-06a5-4ecc-9519-e17fc6724f15",
+      "value": "TA578"
+    },
+    {
+      "description": "TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
+        ]
+      },
+      "uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b",
+      "value": "TA579"
    }
  ],
-  "version": 226
+  "version": 227
 }