From d45a32e9e2230cfc9e0032854064685a6b4b55ca Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Wed, 30 Jan 2019 08:22:46 +0100 Subject: [PATCH 01/11] Added Shadow Crane as synonym for Dark Hotel. --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8450504..786dbfd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -363,7 +363,8 @@ "Luder", "Nemim", "Tapaoux", - "Pioneer" + "Pioneer", + "Shadow Crane" ] }, "related": [ From 0b04046d916ce37f38708022dc3808596075a6bf Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Fri, 1 Feb 2019 13:17:43 +0100 Subject: [PATCH 02/11] Added Quilted Tiger as Synonym for Patchwork/Dropping Elephant. --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 786dbfd..e7574ae 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2932,7 +2932,8 @@ "Chinastrats", "Patchwork", "Monsoon", - "Sarit" + "Sarit", + "Quilted Tiger" ] }, "related": [ From a171d5aa9dc2d292ddd1aab268e0583eb79be3f2 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Sun, 3 Feb 2019 21:36:21 +0100 Subject: [PATCH 03/11] Added Ocean Buffalo synonym for Ocean Lotus --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f6219e5..ddbc741 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3913,7 +3913,8 @@ "APT-C-00", "SeaLotus", "APT-32", - "APT 32" + "APT 32", + "Ocean Buffalo" ] }, "related": [ From 5a077cf838e6c8c9b801797e1f8692027e62a15e Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Thu, 7 Feb 2019 08:26:10 +0100 Subject: [PATCH 04/11] Added Cobalt Spider as Synonym for Cobalt --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ddbc741..fde49b5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4124,7 +4124,8 @@ "synonyms": [ "Cobalt group", "Cobalt gang", - "GOLD KINGSWOOD" + "GOLD KINGSWOOD", + "Cobalt Spider" ] }, "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", From 0049acd81ca68adf30a59c5fc5405d5e7d8620c9 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Thu, 7 Feb 2019 08:28:48 +0100 Subject: [PATCH 05/11] Added Turbine Panda as synonym for APT 26 --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ddbc741..3ede597 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4246,7 +4246,8 @@ "synonyms": [ "APT26", "Hippo Team", - "JerseyMikes" + "JerseyMikes", + "Turbine Panda" ] }, "related": [ From 523a52c4db1a187665a398175d25076c36214345 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Thu, 7 Feb 2019 08:38:52 +0100 Subject: [PATCH 06/11] Added static kitten as synonym for MuddyWater --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ddbc741..3dbd08d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4935,7 +4935,8 @@ "https://www.cfr.org/interactive/cyber-operations/muddywater" ], "synonyms": [ - "TEMP.Zagros" + "TEMP.Zagros", + "Static Kitten" ] }, "related": [ From 9778bea81e59a9829216100aadc35ab73b607cdb Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Thu, 7 Feb 2019 08:41:00 +0100 Subject: [PATCH 07/11] Added Cobalt Spider reference --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fde49b5..bc1fced 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4119,7 +4119,8 @@ "refs": [ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/", - "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/" ], "synonyms": [ "Cobalt group", From fc16f4f69c49a2e632fdc4904d16989bba8eee60 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Fri, 8 Feb 2019 08:50:05 +0100 Subject: [PATCH 08/11] Added Velvet Chollima as synonym to Kimsuki --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b13db4..b38e277 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4525,7 +4525,8 @@ "https://www.cfr.org/interactive/cyber-operations/kimsuky" ], "synonyms": [ - "Kimsuky" + "Kimsuky", + "Velvet Chollima" ] }, "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", From 662cc5a012b1ec6bfffa53af1b5efcea7898eb0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Neto?= Date: Fri, 8 Feb 2019 16:50:22 +0100 Subject: [PATCH 09/11] Updated "Iran" name This extra space leads to an unnecessary key error when parsing the json file --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b38e277..7102944 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1561,7 +1561,7 @@ { "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ", "meta": { - "cfr-suspected-state-sponsor": " Iran (Islamic Republic of)", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-victims": [ "Bank of America", "US Bancorp", From 95a70d09a5a49af660dfaab029ec50bad5df8042 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 12 Feb 2019 12:19:23 -0500 Subject: [PATCH 10/11] add ANEL/UPPERCUT in tool cluster --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index f27cca8..16c05e6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7509,7 +7509,21 @@ }, "uuid": "0147c0fd-ed74-4d38-a823-130542d894a3", "value": "OSX.BadWord" + }, + { + "description":"Backdoor", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" + ], + "synonyms": [ + "UPPERCUT" + ] + }, + "uuid": "588b97ff-3434-4aa1-a5fd-815e1bb0178b", + "value": "ANEL" } ], - "version": 108 + "version": 109 } From ad0ef66b0a4654c779411736bee6ce7bf691536a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 Feb 2019 21:41:33 +0100 Subject: [PATCH 11/11] chg: [tool] jq jq jq jq jq jq jq jq --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 16c05e6..e2ea6bb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7511,7 +7511,7 @@ "value": "OSX.BadWord" }, { - "description":"Backdoor", + "description": "Backdoor", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/",