From 54512eb840d63917a8e761eced2c7d6193b6189d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Fri, 14 Apr 2017 14:48:39 +0200 Subject: [PATCH 1/2] Add some tools/threat actor --- clusters/threat-actor.json | 9 +++++++++ clusters/tool.json | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b54ea59c..4f937115 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1512,6 +1512,15 @@ }, "value": "Longhorn", "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally." + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/documents/996508/1030745/callisto-group" + ], + }, + "value": "Callisto", + "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions." } ], "name": "Threat actor", diff --git a/clusters/tool.json b/clusters/tool.json index 2c32e3d9..0d354c88 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2571,6 +2571,44 @@ }, "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.", "value": "QUASARRAT" + }, + { + "meta": { + "refs": [ + "http://surveillance.rsf.org/en/hacking-team/", + "https://wikileaks.org/hackingteam/emails/fileid/581640/267803" + ] + }, + "description": "Hacking Team’s \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target’s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.", + "value": "da Vinci RCS" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" + ] + }, + "description": "LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.", + "value": "LATENTBOT" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" + ] + }, + "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", + "value": "FINSPY" + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/documents/996508/1030745/callisto-group" + ] + }, + "description": "HackingTeam Remote Control System (RCS) Galileo hacking platform", + "value": "RCS Galileo" } ] } From 531595c9441987eba37087fb8bb60b349eb3093f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Fri, 14 Apr 2017 14:52:23 +0200 Subject: [PATCH 2/2] ##comma## --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f937115..5d281eeb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1517,7 +1517,7 @@ "meta": { "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group" - ], + ] }, "value": "Callisto", "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions."