MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of https://github.com/MISP/misp-galaxy into target-location-galaxy

pull/459/head
Deborah Servili 2019-09-25 13:39:33 +02:00
parent bb3f9dc183 309109eb27
commit 335402c886
23 changed files with 7701 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
__pycache__

12
clusters/backdoor.json
View File

@ -80,7 +80,17 @@
],
"uuid": "a4757e11-0837-42c0-958a-7490cff58687",
"value": "SLUB"
},
{
"description": "Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/"
]
},
"uuid": "b7ad60a0-d648-4775-adec-c78b1a92fc34",
"value": "Asruex"
}
],
"version": 5
"version": 6
}

3
clusters/exploit-kit.json
View File

@ -218,9 +218,6 @@
{
"description": "Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user \"badbullzvenom\". ",
"meta": {
"refs": [
""
],
"status": "Active"
},
"uuid": "63988ca2-46c8-4bda-be46-96a8670af357",

18
clusters/mitre-attack-pattern.json
View File

@ -775,7 +775,7 @@
"meta": {
"external_id": "T1452",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android",
@ -2072,7 +2072,7 @@
"meta": {
"external_id": "APP-28",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android",
@ -3648,7 +3648,7 @@
"meta": {
"external_id": "T1472",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android",
@ -3825,7 +3825,7 @@
"meta": {
"external_id": "T1448",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android"
@ -7096,7 +7096,7 @@
"meta": {
"external_id": "T1447",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android"
@ -9731,7 +9731,7 @@
"meta": {
"external_id": "APP-28",
"kill_chain": [
"mitre-mobile-attack:effects"
"mitre-mobile-attack:impact"
],
"mitre_platforms": [
"Android"
@ -10263,7 +10263,7 @@
"value": "Repackaged Application - T1444"
},
{
"description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)",
"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)",
"meta": {
"external_id": "T1485",
"kill_chain": [
@ -10637,7 +10637,7 @@
"value": "Masquerading - T1036"
},
{
"description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)",
"description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)",
"meta": {
"external_id": "T1064",
"kill_chain": [
@ -11083,5 +11083,5 @@
"value": "DNSCalc - T1324"
}
],
"version": 9
"version": 10
}

4103
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

2
clusters/mitre-enterprise-attack-course-of-action.json
View File

@ -3672,5 +3672,5 @@
"value": "Security Software Discovery Mitigation - T1063"
}
],
"version": 7
"version": 8
}

1140
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

2569
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

2
clusters/mitre-mobile-attack-attack-pattern.json
View File

@ -1670,5 +1670,5 @@
"value": "Malicious Software Development Tools - MOB-T1065"
}
],
"version": 5
"version": 6
}

9
clusters/mitre-mobile-attack-course-of-action.json
View File

@ -274,6 +274,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee",
@ -304,5 +311,5 @@
"value": "Encrypt Network Traffic - MOB-M1009"
}
],
"version": 6
"version": 7
}

2
clusters/mitre-mobile-attack-malware.json
View File

@ -1117,5 +1117,5 @@
"value": "XcodeGhost - MOB-S0013"
}
],
"version": 8
"version": 9
}

2
clusters/mitre-pre-attack-attack-pattern.json
View File

@ -2785,5 +2785,5 @@
"value": "Data Hiding - PRE-T1097"
}
],
"version": 6
"version": 7
}

9
clusters/mitre-pre-attack-intrusion-set.json
View File

@ -222,6 +222,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
@ -369,5 +376,5 @@
"value": "APT17 - G0025"
}
],
"version": 8
"version": 9
}

6
clusters/mitre-tool.json
View File

@ -2493,8 +2493,8 @@
"refs": [
"https://attack.mitre.org/software/S0262",
"https://github.com/quasar/QuasarRAT",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
],
"synonyms": [
"QuasarRAT",
@ -3724,5 +3724,5 @@
"value": "Nltest - S0359"
}
],
"version": 13
"version": 15
}

53
clusters/ransomware.json
View File

@ -12889,8 +12889,7 @@
"read_me_for_recover_your_files.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/",
""
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/"
]
},
"uuid": "3675e50d-3f76-45f8-b3f3-4a645779e14d",
@ -13472,7 +13471,55 @@
},
"uuid": "6cfa553a-1e1b-115a-401f-015d681470b1",
"value": "GetCrypt"
},
{
"description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.",
"meta": {
"payment-method": "Bitcoin",
"price": "1000 $",
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
]
},
"uuid": "6cfa554a-1e2b-115a-400f-014d671470b1",
"value": "Nemty"
},
{
"description": "Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.",
"meta": {
"refs": [
"https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit"
]
},
"uuid": "6cfa554a-1e1b-114a-300f-013d671370b0",
"value": "Buran"
},
{
"description": "The Hildacrypt ransomware encrypts the victims files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.",
"meta": {
"refs": [
"https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/"
]
},
"uuid": "6cea5549-1d1b-111a-309f-012d671360b1",
"value": "Hildacrypt"
},
{
"description": "Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.",
"meta": {
"encryption": "AES",
"refs": [
"https://www.2-spyware.com/remove-mr-dec-ransomware.html",
"https://id-ransomware.blogspot.com/2018/05/mrdec-ransomware.html"
],
"synonyms": [
"MrDec",
"Sherminator"
]
},
"uuid": "7cea4438-1d1c-121a-30af-011d661260b2",
"value": "Mr.Dec"
}
],
"version": 64
"version": 68
}

34
clusters/rat.json
View File

@ -3382,7 +3382,39 @@
},
"uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57",
"value": "Felipe"
},
{
"description": "Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares",
"meta": {
"date": "2019",
"refs": [
"https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/"
]
},
"uuid": "39c65b1d-7799-43d6-a963-4a058b1c756e",
"value": "Amavaldo Banking Trojan"
},
{
"description": "Open-Source Remote Administration Tool For Windows C# (RAT)",
"meta": {
"refs": [
"https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"
]
},
"uuid": "1b6a065c-40ba-4aa5-a46b-813e74e010fe",
"value": "AsyncRAT"
},
{
"description": "new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine",
"meta": {
"refs": [
"https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more"
]
},
"uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff",
"value": "InnfiRAT"
}
],
"version": 30
"version": 31
}

2
clusters/target-information.json
View File

@ -1493,7 +1493,7 @@
"Zhōnghuá Rénmín Gònghéguó"
],
"territory-type": [
""
"Country"
]
},
"uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6",

152
clusters/threat-actor.json
View File

@ -2384,7 +2384,7 @@
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
"https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
"file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
@ -2575,7 +2575,8 @@
"Pacifier APT",
"Popeye",
"SIG23",
"Iron Hunter"
"Iron Hunter",
"MAKERSMARK"
]
},
"related": [
@ -2634,7 +2635,8 @@
"https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/"
"https://attack.mitre.org/groups/G0035/",
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"
],
"synonyms": [
"Dragonfly",
@ -2642,7 +2644,8 @@
"Group 24",
"Havex",
"CrouchingYeti",
"Koala Team"
"Koala Team",
"IRON LIBERTY"
]
},
"related": [
@ -2857,13 +2860,15 @@
"https://www.cfr.org/interactive/cyber-operations/team-spy-crew",
"https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/",
"https://www.crysys.hu/publications/files/teamspy.pdf",
"https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf"
"https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf",
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"
],
"synonyms": [
"TeamSpy",
"Team Bear",
"Berserk Bear",
"Anger Bear"
"Anger Bear",
"IRON LYRIC"
]
},
"related": [
@ -3730,10 +3735,12 @@
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://attack.mitre.org/groups/G0037/"
"https://attack.mitre.org/groups/G0037/",
"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"
],
"synonyms": [
"Skeleton Spider"
"Skeleton Spider",
"ITG08"
]
},
"related": [
@ -4252,7 +4259,8 @@
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
"https://attack.mitre.org/groups/G0047/"
"https://attack.mitre.org/groups/G0047/",
"https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon"
]
},
"related": [
@ -4669,7 +4677,8 @@
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
],
"synonyms": [
"Machete"
"Machete",
"machete-apt"
]
},
"uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3",
@ -4766,6 +4775,9 @@
"refs": [
"https://www.fireeye.com/current-threats/apt-groups.html",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf"
],
"synonyms": [
"MANGANESE"
]
},
"uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
@ -5745,7 +5757,8 @@
"TEMP.Jumper",
"APT 40",
"APT40",
"BRONZE MOHAWK"
"BRONZE MOHAWK",
"GADOLINIUM"
]
},
"related": [
@ -6901,7 +6914,11 @@
"https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
"https://threatpost.com/ta505-servhelper-malware/140792/",
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/"
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/"
],
"synonyms": [
"SectorJ04 Group"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -7270,6 +7287,7 @@
"https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment",
"https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic",
"https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary",
"https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again",
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities"
],
"synonyms": [
@ -7414,8 +7432,7 @@
"meta": {
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf",
""
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf"
]
},
"uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd",
@ -7622,7 +7639,112 @@
},
"uuid": "64ac8827-89d9-4738-9df3-cd955c628bee",
"value": "SWEED"
},
{
"description": "Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
]
},
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
"value": "TA428"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
]
},
"uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
"value": "LYCEUM"
},
{
"description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.",
"meta": {
"cfr-suspected-state-sponsor": "People's Republic of China",
"cfr-suspected-victims": [
"France",
"India",
"Italy",
"Japan",
"Myanmar",
"Netherlands",
"Singapore",
"South Korea",
"South Africa",
"Switzerland",
"Thailand",
"Turkey",
"United Kingdom",
"United States"
],
"cfr-target-category": [
"Automotive",
"Business",
"Services",
"Cryptocurrency",
"Education",
"Energy",
"Financial",
"Healthcare",
"High-Tech",
"Intergovernmental",
"Media and Entertainment",
"Pharmaceuticals",
"Retail",
"Telecommunications",
"Travel"
],
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
]
},
"uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
"value": "APT41"
},
{
"description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 groups hacking.",
"uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39",
"value": "SectorJ04"
},
{
"description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
]
},
"uuid": "5f108484-db7f-11e9-aaa4-fb0176425734",
"value": "Tortoiseshell"
},
{
"description": "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.",
"meta": {
"refs": [
"https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/",
"https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/"
],
"synonyms": [
"Evil Eye"
]
},
"uuid": "7aa99279-4255-4d26-bb95-12e7156555a0",
"value": "POISON CARP"
},
{
"description": "Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)",
"uuid": "5cd95926-0098-435e-892d-9c9f61763ad7",
"value": "LookBack",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals",
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks"
]
}
}
],
"version": 122
"version": 135
}

12
clusters/tool.json
View File

@ -7798,7 +7798,17 @@
},
"uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85",
"value": "Bookworm"
},
{
"description": "We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/"
]
},
"uuid": "c72f8f57-fc2f-4ca2-afbe-ca5bfa5a1747",
"value": "Amavaldo"
}
],
"version": 122
"version": 123
}

0
tools/__init__.py Normal file
View File

33
tools/chk_dup.py
View File

@ -8,9 +8,19 @@ import os
import collections
def loadjsons(path):
def loadjsons(path, return_paths=False):
"""
Find all Jsons and load them in a dict
Find all Jsons and load them in a dict
Parameters:
path: string
return_names: boolean, if the name of the file should be returned,
default: False
Returns:
List of parsed file contents.
If return_paths is True, then every list item is a tuple of the
file name and the file content
"""
files = []
data = []
@ -18,9 +28,14 @@ def loadjsons(path):
if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'):
files.append(name)
for jfile in files:
data.append(json.load(open("%s/%s" % (path, jfile))))
filepath = os.path.join(path, jfile)
if return_paths:
data.append((filepath, json.load(open(filepath))))
else:
data.append(json.load(json.load(open(filepath))))
return data
if __name__ == '__main__':
"""
Iterate all name + synonyms
@ -33,19 +48,19 @@ if __name__ == '__main__':
items = djson.get('values')
for entry in items:
name = entry.get('value').strip().lower()
counter[name]+=1
counter[name] += 1
namespace.append([name, djson.get('name')])
try:
for synonym in entry.get('meta').get('synonyms'):
name = synonym.strip().lower()
counter[name]+=1
counter[name] += 1
namespace.append([name, djson.get('name')])
except (AttributeError, TypeError):
pass
counter = dict(counter)
for key, val in counter.items():
if val>1:
print ("Warning duplicate %s" % key)
if val > 1:
print("Warning duplicate %s" % key)
for item in namespace:
if item[0]==key:
print (item)
if item[0] == key:
print(item)

24
tools/chk_empty_strings.py Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tools to find empty string entries in galaxies
"""
from .chk_dup import loadjsons
import sys
if __name__ == '__main__':
jsons = loadjsons("clusters", return_paths=True)
retval = 0
for clustername, djson in jsons:
items = djson.get('values')
for entry in items:
name = entry.get('value')
for key, value in entry.get('meta', {}).items():
if isinstance(value, list):
if '' in value:
retval = 1
print("Empty string found in Cluster %r: values/%s/meta/%s"
"" % (clustername, name, key),
file=sys.stderr)
sys.exit(retval)

3
validate_all.sh
View File

@ -84,3 +84,6 @@ do
fi
echo ''
done
# check for empyt strings in clusters
python3 -m tools.chk_empty_strings