MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into master

pull/508/head
Deborah Servili 2020-01-24 09:33:33 +01:00 committed by GitHub
parent 606e3ec90f 6d078a88dd
commit 5da17d51aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 116 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
clusters/ransomware.json
View File

@ -1,7 +1,8 @@
{
"authors": [
"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"http://pastebin.com/raw/GHgpWjar"
"http://pastebin.com/raw/GHgpWjar",
"MISP Project"
],
"category": "tool",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar",
@ -13619,7 +13620,40 @@
},
"uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
"value": "Clop"
},
{
"description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip",
"meta": {
"ransomnotes-filenames": [
"_如何解密我的文件_.txt"
],
"ransomnotes-refs": [
"https://1.bp.blogspot.com/-T0B4txHlNHs/Xh4-raVFVtI/AAAAAAAACTE/R-YoW8QHFLsuD140AF9vD-_rOifULExUgCLcBGAsYHQ/s1600/note.PNG"
],
"refs": [
"https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html"
]
},
"uuid": "8ac9fc73-05db-4be8-8f46-33bbd6b3502b",
"value": "5ss5c Ransomware"
},
{
"description": "Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.",
"meta": {
"extensions": [
".encrypted"
],
"refs": [
"https://exchange.xforce.ibmcloud.com/collection/6f18908ce6d9cf4efb551911e00d9ec4",
"https://blogs.quickheal.com/first-node-js-based-ransomware-nodera/"
],
"synonyms": [
"Nodera"
]
},
"uuid": "0529c53a-afe7-4549-899e-3f8735467f96",
"value": "Nodera Ransomware"
}
],
"version": 76
"version": 78
}

116
clusters/threat-actor.json
View File

@ -216,7 +216,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"
]
},
"uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd",
@ -506,7 +506,7 @@
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/",
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
"https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/"
@ -659,7 +659,7 @@
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://www.cfr.org/interactive/cyber-operations/axiom",
"https://securelist.com/games-are-over/70991/",
"https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html",
"https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
"https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
@ -834,7 +834,7 @@
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
"https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
"https://threatconnect.com/tag/naikon/",
"https://threatconnect.com/blog/tag/naikon/",
"https://attack.mitre.org/groups/G0019/"
],
"synonyms": [
@ -2070,7 +2070,7 @@
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
"http://www.clearskysec.com/thamar-reservoir/",
"https://citizenlab.org/2015/08/iran_two_factor_phishing/",
"https://citizenlab.ca/2015/08/iran_two_factor_phishing/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
@ -2380,10 +2380,9 @@
"https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT",
"https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny",
"https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/",
"https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/",
@ -2647,7 +2646,6 @@
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
"https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574",
"https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
"https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
"https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
@ -2811,10 +2809,9 @@
"motive": "Cybercrime",
"refs": [
"https://en.wikipedia.org/wiki/Carbanak",
"https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf",
"https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
"http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf",
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/",
@ -3181,7 +3178,7 @@
"attribution-confidence": "50",
"country": "TN",
"refs": [
"https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/"
"https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/"
],
"synonyms": [
"TunisianCyberArmy"
@ -3270,7 +3267,6 @@
"https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe",
"https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf",
"https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
"https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf",
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
"https://s.tencent.com/research/report/669.html",
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html"
@ -3312,7 +3308,7 @@
"cfr-type-of-incident": "Espionage",
"country": "AE",
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/",
"https://citizenlab.ca/2016/05/stealth-falcon/",
"https://www.cfr.org/interactive/cyber-operations/stealth-falcon",
"https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/",
"https://attack.mitre.org/groups/G0038/"
@ -3396,7 +3392,7 @@
"country": "IN",
"refs": [
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign",
"https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign",
"https://www.cymmetria.com/patchwork-targeted-attack/",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
@ -3495,7 +3491,7 @@
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://attack.mitre.org/wiki/Groups",
"https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor",
"https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor",
"http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor",
"https://www.cfr.org/interactive/cyber-operations/moafee",
"https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
@ -3836,7 +3832,7 @@
"https://pan-unit42.github.io/playbook_viewer/",
"https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf",
"https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf",
"https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a",
"https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json",
"https://www.cfr.org/interactive/cyber-operations/oilrig",
@ -3944,7 +3940,7 @@
"description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .",
"meta": {
"refs": [
"https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf",
"https://blog.checkpoint.com/2015/03/31/volatilecedar/",
"https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
"https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/"
],
@ -3998,11 +3994,10 @@
"https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
"https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html",
"https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html",
"https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks",
"https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
"https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/",
"https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
"https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf",
"https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
"https://www.kaspersky.com/blog/gaza-cybergang/26363/",
"https://attack.mitre.org/groups/G0021/"
@ -4092,7 +4087,7 @@
"description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.",
"meta": {
"refs": [
"https://citizenlab.org/2015/12/packrat-report/"
"https://citizenlab.ca/2015/12/packrat-report/"
]
},
"uuid": "fe344665-d153-4d31-a32a-1509efde1ca7",
@ -4937,7 +4932,7 @@
"attribution-confidence": "50",
"country": "KP",
"refs": [
"https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/"
"https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html"
]
},
"uuid": "73c636ae-e55c-4167-bf40-315789698adb",
@ -4964,7 +4959,6 @@
"country": "CN",
"refs": [
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
"https://www.threatconnect.com/china-superman-apt/",
"https://www.cfr.org/interactive/cyber-operations/mofang",
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
],
@ -4995,7 +4989,7 @@
"country": "IR",
"refs": [
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf",
"https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/",
"https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr",
"http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/tulip/",
"https://www.cfr.org/interactive/cyber-operations/copykittens",
@ -5345,7 +5339,7 @@
{
"meta": {
"refs": [
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77",
@ -5385,7 +5379,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf",
"https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
"https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
"https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
]
@ -5439,11 +5433,9 @@
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf",
"http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html",
"https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/",
"https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf",
"https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/",
"https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
"https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View",
"https://www.ci-project.org/blog/2017/3/4/arid-viper",
"http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
@ -5514,7 +5506,7 @@
"country": "RU",
"refs": [
"https://securelist.com/introducing-whitebear/81638/",
"https://www.cfr.org/interactive/cyber-operations/whitebears"
"https://www.cfr.org/interactive/cyber-operations/whitebear"
],
"synonyms": [
"Skipper Turla"
@ -5539,7 +5531,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/"
"http://en.hackdig.com/02/39538.htm"
]
},
"uuid": "110792e8-38d2-4df2-9ea3-08b60321e994",
@ -5638,7 +5630,6 @@
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/",
"https://www.group-ib.com/resources/reports/money-taker.html",
"https://www.group-ib.com/blog/moneytaker"
]
},
@ -5650,7 +5641,7 @@
"meta": {
"refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf"
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
]
},
"uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
@ -5766,7 +5757,7 @@
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
"https://www.cfr.org/interactive/cyber-operations/leviathan",
"https://www.cfr.org/interactive/cyber-operations/apt-40",
"https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html",
"https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/",
"https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html",
@ -6134,7 +6125,7 @@
"description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.",
"meta": {
"refs": [
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03095519/ZooPark_for_public_final.pdf"
"https://securelist.com/whos-who-in-the-zoo/85394/"
]
},
"uuid": "4defbf2e-4f73-11e8-807f-578d61da7568",
@ -6420,7 +6411,7 @@
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework",
"https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/%238",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf"
@ -6959,9 +6950,16 @@
"description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"meta": {
"refs": [
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/"
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
],
"synonyms": [
"TEMP.MixMaster"
]
},
"uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f",
@ -7230,7 +7228,6 @@
"attribution-confidence": "10",
"country": "IR",
"refs": [
"https://resecurity.com/blog/parliament_races/",
"https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986",
"https://threatpost.com/ranian-apt-6tb-data-citrix/142688/",
"https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/"
@ -7882,6 +7879,53 @@
},
"uuid": "c432d032-ce2b-4eb8-ba87-312b2a43fb7a",
"value": "Operation Wocao"
},
{
"description": "Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.",
"meta": {
"country": "CN",
"refs": [
"https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan",
"https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm",
"https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf"
],
"suspected-victims": "Taiwan",
"synonyms": [
"Budminer cyberespionage group"
]
},
"uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95",
"value": "Budminer"
},
{
"description": "Adversary group targeting diplomatic missions and governmental organisations.",
"meta": {
"cfr-target-category": [
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform"
]
},
"uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26",
"value": "Attor"
},
{
"description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.",
"meta": {
"cfr-target-category": [
"Private sector",
"Finance"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader"
]
},
"uuid": "443faf38-ad93-4421-8a53-47ad84b195fa",
"value": "DePriMon"
}
],
"version": 153