From 9f29f297d2d45057a8dc11b22068194b264c1ca4 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Dec 2018 09:43:20 +0100 Subject: [PATCH 1/3] add shamoon synonym --- clusters/tool.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 2d056f7..b87a02f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3263,7 +3263,11 @@ "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", "meta": { "refs": [ - "https://en.wikipedia.org/wiki/Shamoon" + "https://en.wikipedia.org/wiki/Shamoon", + "https://securityaffairs.co/wordpress/78867/breaking-news/shamoon-virustotal.html" + ], + "synonyms": [ + "DistTrack" ] }, "related": [ From a9265d9858b55d990569f2a2b69f3aa06ae9f0ce Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Dec 2018 09:44:09 +0100 Subject: [PATCH 2/3] update toll version --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index b87a02f..97c0988 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7479,5 +7479,5 @@ "value": "SpicyOmelette" } ], - "version": 105 + "version": 106 } From cb4345adf928f2165937318270ca0b706edc0745 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Dec 2018 13:47:54 +0100 Subject: [PATCH 3/3] add operation sharpshooter --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5c26c15..e16c13e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6110,7 +6110,17 @@ ], "uuid": "6d50a8a2-fdf5-11e8-9db3-833f231caac8", "value": "GC02" + }, + { + "description": "The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.\nOperation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.", + "meta": { + "refs": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" + ] + }, + "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", + "value": "Operation Sharpshooter" } ], - "version": 83 + "version": 84 }