From 3dc460e795b90a6792f9374dbbcd2cde16f680a4 Mon Sep 17 00:00:00 2001 From: "pnx@pyrite" Date: Wed, 4 Mar 2020 13:36:34 +0100 Subject: [PATCH] adding new/updated threat actor names from CrowdStrike 2020 report --- clusters/threat-actor.json | 170 +++++++++++++++++++++++++++++++++---- 1 file changed, 153 insertions(+), 17 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 439c2b6c..5c7ad121 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1673,7 +1673,8 @@ "country": "CN", "refs": [ "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", - "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "APT23", @@ -1897,7 +1898,8 @@ "https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", - "https://attack.mitre.org/groups/G0058/" + "https://attack.mitre.org/groups/G0058/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Newscaster", @@ -2827,7 +2829,8 @@ "http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://attack.mitre.org/groups/G0046/" + "https://attack.mitre.org/groups/G0046/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Carbanak", @@ -2908,7 +2911,8 @@ "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", @@ -4272,7 +4276,11 @@ "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", "https://attack.mitre.org/groups/G0047/", - "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon" + "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "Primitive Bear" ] }, "related": [ @@ -4760,6 +4768,7 @@ "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8", "value": "Cyber Berkut" }, + { "meta": { "attribution-confidence": "50", @@ -6476,7 +6485,8 @@ "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/mustang-panda", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", @@ -6497,7 +6507,11 @@ "refs": [ "https://www.cfr.org/interactive/cyber-operations/thrip", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", - "https://attack.mitre.org/groups/G0076/" + "https://attack.mitre.org/groups/G0076/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "LOTUS PANDA" ] }, "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", @@ -6926,7 +6940,8 @@ "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" ], "synonyms": [ - "SectorJ04 Group" + "SectorJ04 Group", + "GRACEFUL SPIDER" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7015,7 +7030,8 @@ ], "synonyms": [ "Silence", - "Silence APT group" + "Silence APT group", + "WHISPER SPIDER" ] }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", @@ -7030,11 +7046,13 @@ "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/", "https://securelist.com/chafer-used-remexi-malware/89538/", "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", - "https://attack.mitre.org/groups/G0087/" + "https://attack.mitre.org/groups/G0087/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "APT 39", - "Chafer" + "Chafer", + "REMIX KITTEN" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7075,7 +7093,8 @@ "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117", @@ -7095,7 +7114,8 @@ "description": "Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3", @@ -7105,7 +7125,8 @@ "description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758", @@ -7115,7 +7136,8 @@ "description": "One of the first observed adopters of the 8.t exploit document builder in late 2017, further KRYPTONITE PANDA activity was limited in 2018. Last known activity for this adversary occurred in June 2018 and involved suspected targeting of Cambodia.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "393ebaad-4f05-4b35-bd31-45ac4ae7472d", @@ -7370,7 +7392,11 @@ "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", - "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "CIRCUIT PANDA" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", @@ -7965,7 +7991,117 @@ }, "uuid": "87af83a4-ced4-4e7c-96a6-86612dc095b1", "value": "InvisiMole" + }, + { + "description": "Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://fortiguard.com/encyclopedia/botnet/7630456" + ], + "synonyms": [ + "Empire Monkey", + "CobaltGoblin" + ] + }, + "uuid": "559a64d8-8657-4a93-9208-060d52efdec4", + "value": "ANTHROPOID SPIDER" + }, + { + "description": "Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf" + ] + }, + "uuid": "2d2f3b53-c544-4823-a65f-da53ff8f594e", + "value": "CLOCKWORD SPIDER" + }, + { + "description": "In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30", + "value": "DOPPEL SPIDER" + }, + { + "description": "IMPERIAL KITTEN has maintained a consistent operational tempo since Q2 2019. Its operations primarily utilize recruitment- and job-themed infrastructure to deliver custom tooling.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "937e1bc2-e1ab-4e5b-a697-0415c6070f46", + "value": "IMPERIAL KITTEN" + }, + { + "description": "Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "168a9e38-70e3-4542-b78f-afa2414436bb", + "value": "MONTY SPIDER" + }, + { + "description": "NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", + "value": "NARWHAL SPIDER" + }, + { + "description": "Mentioned as MaaS operator in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "c042c592-25f6-4887-8a1b-6b8e3bfdcf0c", + "value": "NOCTURNAL SPIDER" + }, + { + "description": "Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "7fb1662e-0257-4606-b3a2-bf294c64c098", + "value": "SCULLY SPIDER" + }, + { + "description": "Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "e27796eb-624a-4e41-aa40-52d47c764b07", + "value": "SMOKY SPIDER" + }, + { + "description": "VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "badbullzvenom" + ] + }, + "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187", + "value": "VENOM SPIDER" } ], - "version": 155 + "version": 156 }