MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #653 from r0ny123/cybercrime 

Adding CyberCrime actor profiles from Crowdstrike & Secureworks
pull/654/head v2.4.144
Alexandre Dulaunoy 2021-05-26 21:57:47 +02:00 committed by GitHub
parent a6d51e2247 9a723b6261
commit 4293503231
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 404 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

449
clusters/threat-actor.json
View File

@ -2812,10 +2812,9 @@
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
],
"synonyms": [
"Carbanak",
"Carbon Spider",
"FIN7",
"GOLD NIAGARA"
"CARBON SPIDER",
"GOLD NIAGARA",
"Calcium"
]
},
"related": [
@ -2835,7 +2834,7 @@
}
],
"uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"value": "Anunak"
"value": "FIN7"
},
{
"description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that its not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.",
@ -2932,7 +2931,7 @@
]
},
"uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57",
"value": "Wolf Spider"
"value": "WOLF SPIDER"
},
{
"description": "First observed activity in December 2013.",
@ -2950,7 +2949,7 @@
"country": "RU"
},
"uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4",
"value": "Shark Spider"
"value": "SHARK SPIDER"
},
{
"description": "Adversary targeting manufacturing and industrial organizations.",
@ -2962,7 +2961,7 @@
]
},
"uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd",
"value": "Union Spider"
"value": "UNION SPIDER"
},
{
"meta": {
@ -3152,13 +3151,16 @@
"meta": {
"attribution-confidence": "50",
"country": "US",
"refs": [
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/"
],
"synonyms": [
"DD4BC",
"Ambiorx"
]
},
"uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d",
"value": "Pizzo Spider"
"value": "PIZZO SPIDER"
},
{
"meta": {
@ -3662,11 +3664,15 @@
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://attack.mitre.org/groups/G0037/",
"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"
"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
"http://www.secureworks.com/research/threat-profiles/gold-franklin"
],
"synonyms": [
"Skeleton Spider",
"ITG08"
"SKELETON SPIDER",
"ITG08",
"MageCart Group 6",
"White Giant",
"GOLD FRANKLIN"
]
},
"related": [
@ -4645,12 +4651,10 @@
"http://www.secureworks.com/research/threat-profiles/gold-kingswood"
],
"synonyms": [
"Cobalt group",
"Cobalt Group",
"Cobalt gang",
"Cobalt Gang",
"GOLD KINGSWOOD",
"Cobalt Spider"
"COBALT SPIDER"
]
},
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
@ -5293,7 +5297,7 @@
]
},
"uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77",
"value": "Andromeda Spider"
"value": "ANDROMEDA SPIDER"
},
{
"meta": {
@ -5321,7 +5325,7 @@
]
},
"uuid": "430ba885-cd24-492e-804c-815176ed9b1e",
"value": "Magnetic Spider"
"value": "MAGNETIC SPIDER"
},
{
"description": "Arbors ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the groups activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.",
@ -5344,7 +5348,7 @@
]
},
"uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50",
"value": "Singing Spider"
"value": "SINGING SPIDER"
},
{
"meta": {
@ -5407,7 +5411,7 @@
]
},
"uuid": "445c7b62-028b-455e-9d65-74899b7006a4",
"value": "Dextorous Spider"
"value": "DEXTOROUS SPIDER"
},
{
"meta": {
@ -6811,12 +6815,14 @@
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
"https://www.secureworks.com/research/threat-profiles/gold-tahoe",
"https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
"https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/"
"https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic"
],
"synonyms": [
"SectorJ04 Group",
"GRACEFUL SPIDER",
"GOLD TAHOE"
"GOLD TAHOE",
"Dudear"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -6847,10 +6853,15 @@
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
"https://www.secureworks.com/research/threat-profiles/gold-ulrick"
"https://www.secureworks.com/research/threat-profiles/gold-ulrick",
"https://www.secureworks.com/research/dyre-banking-trojan",
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
"https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
"http://www.secureworks.com/research/threat-profiles/gold-blackburn"
],
"synonyms": [
"TEMP.MixMaster"
"TEMP.MixMaster",
"GOLD BLACKBURN"
]
},
"uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f",
@ -6868,7 +6879,6 @@
],
"synonyms": [
"TA542",
"Mummy Spider",
"GOLD CRESTWOOD"
]
},
@ -6969,14 +6979,18 @@
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.secureworks.com/research/threat-profiles/gold-lowell"
"https://www.secureworks.com/research/threat-profiles/gold-lowell",
"https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit",
"https://www.secureworks.com/blog/samas-ransomware",
"https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
"https://www.secureworks.com/research/samsam-ransomware-campaigns"
],
"synonyms": [
"GOLD LOWELL"
]
},
"uuid": "d6a13387-4c98-4a0c-a516-6c36c081b64c",
"value": "Boss Spider"
"value": "BOSS SPIDER"
},
{
"description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.\nCrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\n PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.",
@ -6988,7 +7002,7 @@
]
},
"uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117",
"value": "Pinchy Spider"
"value": "PINCHY SPIDER"
},
{
"description": "Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.",
@ -6998,7 +7012,7 @@
]
},
"uuid": "0a667713-bc31-4a72-9ea3-34fc094a9dde",
"value": "Guru Spider"
"value": "GURU SPIDER"
},
{
"description": "Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.",
@ -7009,7 +7023,7 @@
]
},
"uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3",
"value": "Salty Spider"
"value": "SALTY SPIDER"
},
{
"description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.",
@ -7039,7 +7053,7 @@
]
},
"uuid": "998b0a78-ff3e-4928-802f-b42e3f5cf491",
"value": "Skeleton Spider"
"value": "SKELETON SPIDER"
},
{
"description": "According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.",
@ -7049,7 +7063,7 @@
]
},
"uuid": "89a05f9f-a6dc-4426-8c15-a8d5ef6d8524",
"value": "Tiny Spider"
"value": "TINY SPIDER"
},
{
"description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.\nOn March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors.\nLunar Spider is reportedly associated withGrim Spider and Wizard Spider.",
@ -7065,7 +7079,7 @@
]
},
"uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62",
"value": "Lunar Spider"
"value": "LUNAR SPIDER"
},
{
"description": "In July 2018, the source code of Pegasus, RATPAK SPIDERs malware framework, was anonymously leaked. This malware has been linked to the targeting of Russias financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.",
@ -7075,7 +7089,7 @@
]
},
"uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633",
"value": "Ratpak Spider"
"value": "RATPAK SPIDER"
},
{
"meta": {
@ -7457,7 +7471,7 @@
]
},
"uuid": "f1da463c-9297-11e9-875a-d327fc8282f2",
"value": "Dungeon Spider"
"value": "DUNGEON SPIDER"
},
{
"description": "Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory.\nMost recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.",
@ -7543,15 +7557,17 @@
"value": "[Vault 7/8]"
},
{
"description": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\nPINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.",
"description": "On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDERs specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashovs arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0"
"https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/",
"https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf"
]
},
"uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6",
"value": "Zombie Spider"
"value": "ZOMBIE SPIDER"
},
{
"description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.",
@ -7753,11 +7769,14 @@
"https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
"https://adversary.crowdstrike.com/adversary/twisted-spider/",
"https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf"
"https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
"http://www.secureworks.com/research/threat-profiles/gold-village"
],
"synonyms": [
"Maze Team",
"TWISTED SPIDER"
"TWISTED SPIDER",
"GOLD VILLAGE"
]
},
"uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d",
@ -7962,7 +7981,11 @@
"description": "In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDERs inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-heron"
],
"synonyms": [
"GOLD HERON"
]
},
"uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30",
@ -7983,10 +8006,16 @@
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-essex"
"http://www.secureworks.com/research/threat-profiles/gold-essex",
"https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later",
"https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
"https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
"https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes"
],
"synonyms": [
"GOLD ESSEX"
"GOLD ESSEX",
"TA544"
]
},
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
@ -8241,7 +8270,12 @@
"refs": [
"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
"https://en.wikipedia.org/wiki/Maksim_Yakubets",
"https://www.bbc.com/news/world-us-canada-53195749"
"https://www.bbc.com/news/world-us-canada-53195749",
"http://www.secureworks.com/research/threat-profiles/gold-drake",
"https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation"
],
"synonyms": [
"GOLD DRAKE"
]
},
"uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8",
@ -8419,7 +8453,332 @@
},
"uuid": "eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e",
"value": "Yanbian Gang"
},
{
"description": "Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victims own Microsoft Office 365 instance.",
"meta": {
"refs": [
"https://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/",
"https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf"
]
},
"uuid": "a515632e-3374-4602-911e-4f4e259ae0fd",
"value": "TRAVELING SPIDER"
},
{
"description": "Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/",
"http://www.secureworks.com/research/threat-profiles/gold-lagoon"
],
"synonyms": [
"GOLD LAGOON"
]
},
"uuid": "08f4bfa6-8326-42b5-a9e2-d6e1c360a160",
"value": "MALLARD SPIDER"
},
{
"description": "According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
]
},
"uuid": "090d0553-cdcf-4f4e-ae3b-b5d751acaf5d",
"value": "RIDDLE SPIDER"
},
{
"description": "GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.",
"meta": {
"refs": [
"https://www.secureworks.com/research/threat-profiles/gold-dupont",
"https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
"https://www.youtube.com/watch?v=qxPXxWMI2i4"
],
"synonyms": [
"SPRITE SPIDER"
]
},
"uuid": "3570552c-c46f-428e-9472-744a14e6ece7",
"value": "GOLD DUPONT"
},
{
"description": "KNOCKOUT SPIDER has conducted low-volume spear-phishing campaigns focused on companies involved in cryptocurrency.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
]
},
"uuid": "0fb7b53a-77d5-44c5-b500-1d612f262172",
"value": "KNOCKOUT SPIDER"
},
{
"description": "SOLAR SPIDERs phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
]
},
"uuid": "f65103ad-f051-47c3-b90e-c77239a4d65c",
"value": "SOLAR SPIDER"
},
{
"description": "VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomwares Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDERs Ragnar Locker",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
"https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
"https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf"
]
},
"uuid": "ffc02459-3d94-4558-bff0-2e7f0bbf70c6",
"value": "VIKING SPIDER"
},
{
"description": "According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.",
"meta": {
"country": "RU",
"refs": [
"https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
"https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"
]
},
"uuid": "3ebf503c-c554-4ac3-aa3e-3ef114ca2345",
"value": "CIRCUS SPIDER"
},
{
"description": "GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-evergreen",
"https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group"
]
},
"uuid": "fc1c1d9f-1432-417f-a3bf-e730ddd1d139",
"value": "GOLD EVERGREEN"
},
{
"description": "Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf",
"https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/"
]
},
"uuid": "419599eb-c1ea-4d32-8c9e-0ad61d7c5ba5",
"value": "BAMBOO SPIDER"
},
{
"description": "BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf",
"https://www.crowdstrike.com/blog/ecrime-ecosystem/"
]
},
"uuid": "9c11a822-2239-42ca-a439-ee57edb44ebf",
"value": "BOSON SPIDER"
},
{
"description": "OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1"
]
},
"uuid": "b43ce229-feaa-4731-9926-e0970140ab0b",
"value": "OVERLORD SPIDER"
},
{
"description": "On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the citys files.",
"meta": {
"refs": [
"https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf"
]
},
"uuid": "ae121063-3960-4834-90d7-66aad69c5e8b",
"value": "OUTLAW SPIDER"
},
{
"description": "MIMIC SPIDER is mentioned in two summary reports only",
"meta": {
"refs": [
"https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2a_15GlobalThreatReport_Extracted.pdf",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/"
]
},
"uuid": "20e2be89-a54d-46c7-a837-1f17359f30ba",
"value": "MIMIC SPIDER"
},
{
"description": "According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017",
"meta": {
"refs": [
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf"
]
},
"uuid": "22dd1608-272c-4243-9bda-25eec834a24d",
"value": "HOUND SPIDER"
},
{
"description": "GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-burlap"
]
},
"uuid": "d34ca487-1613-4ee5-8930-2ac8a60f945f",
"value": "GOLD BURLAP"
},
{
"description": "GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.",
"meta": {
"refs": [
"https://www.secureworks.com/research/threat-profiles/gold-cabin"
],
"synonyms": [
"Shakthak",
"TA551"
]
},
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
"value": "GOLD CABIN"
},
{
"description": "GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-fairfax"
]
},
"uuid": "eadc8c5c-a97d-454e-8e67-475ac60749bf",
"value": "GOLD FAIRFAX"
},
{
"description": "GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes. ",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-flanders"
]
},
"uuid": "20180cbb-27e3-49d5-922e-1e3bddc6c085",
"value": "GOLD FLANDERS"
},
{
"description": "GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.",
"meta": {
"refs": [
"https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
"http://www.secureworks.com/research/threat-profiles/gold-galleon"
]
},
"uuid": "6976b33c-a45b-4330-b0d8-8ef029ef830e",
"value": "GOLD GALLEON"
},
{
"description": "GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-garden"
]
},
"uuid": "c0f86de9-888e-42b0-90f4-f313808533ff",
"value": "GOLD GARDEN"
},
{
"description": "GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-mansard"
]
},
"uuid": "bda575ed-5066-4625-98ef-938bbffddc00",
"value": "GOLD MANSARD"
},
{
"description": "Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-northfield",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/"
]
},
"uuid": "4c51f24c-90a1-4f22-b932-bd4bb9d488f6",
"value": "GOLD NORTHFIELD"
},
{
"description": "GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE's Dridex (Bugat v5), GOLD BLACKBURN's TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-riverview"
]
},
"uuid": "3806516d-151b-4869-88bc-1f2a2cb73c3c",
"value": "GOLD RIVERVIEW"
},
{
"description": "GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-skyline"
]
},
"uuid": "dcb6b056-7a1b-484c-82ee-f3962d47bcd9",
"value": "GOLD SKYLINE"
},
{
"description": "GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-southfield",
"https://www.secureworks.com/research/revil-sodinokibi-ransomware",
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
"https://www.secureworks.com/blog/revil-the-gandcrab-connection"
]
},
"uuid": "262c8537-1cdb-4297-aa3e-1410164160bf",
"value": "GOLD SOUTHFIELD"
},
{
"description": "GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-symphony"
]
},
"uuid": "bf151740-b667-4f06-87a1-131c3261cca2",
"value": "GOLD SYMPHONY"
},
{
"description": "GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.",
"meta": {
"refs": [
"https://www.secureworks.com/research/threat-profiles/gold-waterfall",
"https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access"
]
},
"uuid": "4d787c58-2581-4696-ad6c-e0e36ed2bac7",
"value": "GOLD WATERFALL"
},
{
"description": "GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.",
"meta": {
"refs": [
"http://www.secureworks.com/research/threat-profiles/gold-winter"
]
},
"uuid": "6c514d9d-e2fa-45a5-a938-9a461f69ad2d",
"value": "GOLD WINTER"
}
],
"version": 201
"version": 203
}