From 18153f31511fb5eb4e8cf5d4fb959b846cabef46 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 17 Jan 2017 20:55:27 +0100 Subject: [PATCH 1/7] GhostAdmin added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6988a9ce..b224bd47 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1154,9 +1154,16 @@ }, "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", "value": "Shamoon" + }, + { + "value": "GhostAdmin", + "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", + "meta": { + "refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"] + } } ], - "version": 12, + "version": 13, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 44cc53d9567087385b61a0cb096b63767814cb29 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Jan 2017 08:30:46 +0100 Subject: [PATCH 2/7] EyePyramid added --- clusters/tool.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index e892f95a..6b156f90 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1239,9 +1239,17 @@ "meta": { "refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"] } + }, + { + "value": " EyePyramid Malware", + "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", + "meta": { + "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"], + "country": "IT" + } } ], - "version": 13, + "version": 14, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8987006c5d1d4a9266bfbac3e9883914ae909254 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Jan 2017 14:16:55 +0100 Subject: [PATCH 3/7] LuminosityLink RAT added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6b156f90..06362480 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1247,9 +1247,16 @@ "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"], "country": "IT" } + }, + { + "value": "LuminosityLink", + "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", + "meta": { + "refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"] + } } ], - "version": 14, + "version": 15, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8ed737402811194a08a724dd97519f1cf2a8e7cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jan 2017 15:31:25 +0100 Subject: [PATCH 4/7] Tavdig was missing --- clusters/tool.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 06362480..ded44802 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -207,7 +207,12 @@ "value": "Agent.dne" }, { - "value": "Wipbot" + "value": "Wipbot", + "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", + "meta": { + "synonyms": ["Tavdig", "Epic Turla"], + "refs": ["https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"] + } }, { "value": "Turla" @@ -1256,7 +1261,7 @@ } } ], - "version": 15, + "version": 16, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From abca7a02d04eb547383515c1a872d1ce24a45c6d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 23 Jan 2017 16:20:09 +0100 Subject: [PATCH 5/7] Greenbug added --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0caf168c..82f390bc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1358,6 +1358,13 @@ "country": "US", "refs": ["https://en.wikipedia.org/wiki/Equation_Group"] } + }, + { + "value": "Greenbug", + "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", + "meta": { + "refs": ["https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"] + } } ], "name": "Threat actor", @@ -1372,5 +1379,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 12 + "version": 13 } From d09b25f2a071b92167176bdb972cc1edda43f30b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 25 Jan 2017 19:58:50 +0100 Subject: [PATCH 6/7] fix: BARIUM and LEAD added --- clusters/microsoft-activity-group.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 319fe979..116c4e13 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -69,6 +69,19 @@ }, "value": "PLATINUM", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat." + }, + { + "value": "BARIUM", + "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] + } + }, + { + "value": "LEAD", + "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] } } ], "name": "Microsoft Activity Group actor", @@ -79,6 +92,6 @@ ], "description": "Activity groups as described by Microsoft", "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", - "version": 1 + "version": 2 } From af16b7c6a16e6a516923f37c2d45ef6e3d02f348 Mon Sep 17 00:00:00 2001 From: cgi Date: Thu, 26 Jan 2017 11:23:37 +0100 Subject: [PATCH 7/7] Adding Zeus to tools --- clusters/tool.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index ded44802..d583a212 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1194,6 +1194,21 @@ "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "value": "GeminiDuke" }, + { + "meta": { + "synonyms": [ + "Trojan.Zbot", + "Zbot", + "ZeuS" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Zeus_(malware)", + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99" + ] + }, + "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", + "value": "Zeus" + }, { "meta": { "derivated-from": [