Merge pull request #923 from Mathieu4141/threat-actors/cc5adecb-fa3e-4128-b059-1a8216fb1d08

[threat actors] Add some missing actors named by Kasperky
2024-02-05 20:59:00 +01:00 · 2024-02-05 20:59:00 +01:00 · 29f5a2df07
parent b35d4bd07a 957e848a6f
commit 29f5a2df07
1 changed files with 118 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -5225,7 +5225,8 @@
          "MANGANESE",
          "BRONZE FLEETWOOD",
          "TEMP.Bottle",
-          "Mulberry Typhoon"
+          "Mulberry Typhoon",
+          "Poisoned Flight"
        ],
        "targeted-sector": [
          "Electronic",
@ -14789,6 +14790,122 @@
      },
      "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52",
      "value": "TA2719"
+    },
+    {
+      "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/apt-trends-report-q2-2022/106995/",
+          "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/"
+        ],
+        "synonyms": [
+          "Piwiks"
+        ]
+      },
+      "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d",
+      "value": "Karkadann"
+    },
+    {
+      "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+        ]
+      },
+      "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c",
+      "value": "Tomiris"
+    },
+    {
+      "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://securelist.com/ksb-2019-review-of-the-year/95394/",
+          "https://securelist.com/apt-trends-report-q3-2019/94530/",
+          "https://securelist.com/apt-review-of-the-year/89117/"
+        ]
+      },
+      "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20",
+      "value": "ShaggyPanther"
+    },
+    {
+      "description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/apt-trends-report-q1-2020/96826/",
+          "https://securelist.com/apt-trends-report-q1-2022/106351/"
+        ]
+      },
+      "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
+      "value": "Fishing Elephant"
+    },
+    {
+      "description": "RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/revengehotels/95229/"
+        ]
+      },
+      "uuid": "083acee6-6969-4c74-80c2-5d442936aa97",
+      "value": "RevengeHotels"
+    },
+    {
+      "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
+          "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+        ]
+      },
+      "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
+      "value": "GhostEmperor"
+    },
+    {
+      "description": "Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/",
+          "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/",
+          "https://securelist.com/triangulation-validators-modules/110847/",
+          "https://securelist.com/operation-triangulation/109842/"
+        ]
+      },
+      "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1",
+      "value": "Operation Triangulation"
+    },
+    {
+      "description": "Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/",
+          "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/"
+        ]
+      },
+      "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f",
+      "value": "Operation Ghoul"
+    },
+    {
+      "description": "CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://securelist.com/apt-review-of-the-year/89117/"
+        ]
+      },
+      "uuid": "97f40858-1582-4a59-a990-866813982830",
+      "value": "CardinalLizard"
+    },
+    {
+      "description": "Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/"
+        ]
+      },
+      "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf",
+      "value": "Ferocious Kitten"
    }
  ],
  "version": 299