From 7b7ffa45326f4877d333868e1846a4d01da8197c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:56 -0800 Subject: [PATCH 01/10] [threat-actors] Add DEV-0950 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 60758f0..fc03a06 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12845,6 +12845,19 @@ }, "uuid": "46de4091-379f-478c-bb6d-5833e2047f15", "value": "DiceyF" + }, + { + "description": "Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "Lace Tempest" + ] + }, + "uuid": "4581f930-348e-4054-a71c-863871de66ee", + "value": "DEV-0950" } ], "version": 293 From 9ff1b1d2e3679ee2acec188a2e45298dbf254b93 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:56 -0800 Subject: [PATCH 02/10] [threat-actors] Add WeRedEvils --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fc03a06..e27239f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12858,6 +12858,18 @@ }, "uuid": "4581f930-348e-4054-a71c-863871de66ee", "value": "DEV-0950" + }, + { + "description": "WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran's oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.", + "meta": { + "country": "IL", + "refs": [ + "https://cyberwarzone.com/tasnim-news-hacked-by-weredevils/", + "https://www.msspalert.com/news/managed-security-services-provider-mssp-market-news-30-october-2023" + ] + }, + "uuid": "7ba756f0-0753-4da9-b00d-8cf35ba84e57", + "value": "WeRedEvils" } ], "version": 293 From 59930c1b0b6a3019eef4f7e67ae9b97ce56ca27c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:56 -0800 Subject: [PATCH 03/10] [threat-actors] Add WIRTE --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e27239f..aaabd00 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12870,6 +12870,18 @@ }, "uuid": "7ba756f0-0753-4da9-b00d-8cf35ba84e57", "value": "WeRedEvils" + }, + { + "description": "WIRTE is a threat actor group that was first discovered in 2018. They are suspected to be part of the Gaza Cybergang, an Arabic politically motivated cyber criminal group. WIRTE has been observed changing their toolkit and operating methods to remain undetected for longer periods of time. They primarily target governmental and political entities, but have also been known to target law firms and financial institutions.", + "meta": { + "country": "PS", + "refs": [ + "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/", + "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" + ] + }, + "uuid": "ec6bcaa9-4cb3-4397-a735-c806bc986c81", + "value": "WIRTE" } ], "version": 293 From dc054efb622084f17df3c19908f3d168471a028e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:56 -0800 Subject: [PATCH 04/10] [threat-actors] Add Caracal Kitten --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index aaabd00..6c5cf7d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12882,6 +12882,20 @@ }, "uuid": "ec6bcaa9-4cb3-4397-a735-c806bc986c81", "value": "WIRTE" + }, + { + "description": "Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.", + "meta": { + "refs": [ + "https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/", + "https://www.ctfiot.com/138538.html" + ], + "synonyms": [ + "APT-Q-58" + ] + }, + "uuid": "46a67fdf-5376-4d01-8092-6549a20030af", + "value": "Caracal Kitten" } ], "version": 293 From 91e5c37a40d8e5fa5c2df6bf28e8bc6cbed253ee Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:56 -0800 Subject: [PATCH 05/10] [threat-actors] Add Water Labbu --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6c5cf7d..88bff0b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12896,6 +12896,16 @@ }, "uuid": "46a67fdf-5376-4d01-8092-6549a20030af", "value": "Caracal Kitten" + }, + { + "description": "Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html" + ] + }, + "uuid": "7f24740c-9370-4968-a92e-667ef2591abe", + "value": "Water Labbu" } ], "version": 293 From 775451488d3ba8b4d3111f7e1d75448ecd862d53 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:57 -0800 Subject: [PATCH 06/10] [threat-actors] Add TAG-56 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 88bff0b..8452bb8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12906,6 +12906,18 @@ }, "uuid": "7f24740c-9370-4968-a92e-667ef2591abe", "value": "Water Labbu" + }, + { + "description": "TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.", + "meta": { + "country": "IR", + "refs": [ + "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/", + "https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank" + ] + }, + "uuid": "7cae7378-5595-4d1e-be63-e13216162a20", + "value": "TAG-56" } ], "version": 293 From cf895b3b200a858a5d8469b21ee93dfb597788f4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:57 -0800 Subject: [PATCH 07/10] [threat-actors] Add TA482 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8452bb8..f7f9fc7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12918,6 +12918,17 @@ }, "uuid": "7cae7378-5595-4d1e-be63-e13216162a20", "value": "TAG-56" + }, + { + "description": "Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains and infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s assessment that TA482 is aligned with the Turkish state.", + "meta": { + "country": "TR", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" + ] + }, + "uuid": "610a7301-5963-4653-8aa2-eeb8573dfad9", + "value": "TA482" } ], "version": 293 From a3802487a4b555a8d5cf7890bf30ffd4986f782b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:57 -0800 Subject: [PATCH 08/10] [threat-actors] Add XakNet --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f7f9fc7..dda0abb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12929,6 +12929,18 @@ }, "uuid": "610a7301-5963-4653-8aa2-eeb8573dfad9", "value": "TA482" + }, + { + "description": "XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.", + "meta": { + "country": "RU", + "refs": [ + "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", + "https://www.mandiant.com/resources/blog/gru-disruptive-playbook" + ] + }, + "uuid": "566752f5-a294-4430-b47e-8e705f9887ea", + "value": "XakNet" } ], "version": 293 From b3584d5f9c86f9af0fe0285a5b0a968f0ab864d3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:57 -0800 Subject: [PATCH 09/10] [threat-actors] Add Zarya --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dda0abb..ba3f8d3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12941,6 +12941,21 @@ }, "uuid": "566752f5-a294-4430-b47e-8e705f9887ea", "value": "XakNet" + }, + { + "description": "Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.", + "meta": { + "country": "RU", + "refs": [ + "https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics", + "https://www.cyfirma.com/?post_type=out-of-band&p=17397", + "https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries", + "https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists", + "https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/" + ] + }, + "uuid": "3689f0e2-6c39-4864-ae0b-cc03e4cb695a", + "value": "Zarya" } ], "version": 293 From 28e02d308f162a5f94f1ea818cd7d8737adb9a9c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 13 Nov 2023 04:36:57 -0800 Subject: [PATCH 10/10] [threat-actors] Add DarkCasino --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ba3f8d3..8ad97eb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12956,6 +12956,16 @@ }, "uuid": "3689f0e2-6c39-4864-ae0b-cc03e4cb695a", "value": "Zarya" + }, + { + "description": "DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.", + "meta": { + "refs": [ + "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/" + ] + }, + "uuid": "b9128c29-8941-48a8-a5be-8076dde03a08", + "value": "DarkCasino" } ], "version": 293