Merge pull request #887 from Mathieu4141/threat-actors/04da55b3-acda-4e77-b687-e7f9329d0fd1

[threat-actors] Adding 10 actors
2023-11-04 07:40:55 +01:00 · 2023-11-04 07:40:55 +01:00 · 61922581e7
parent 0b5b9ca5a3 025345e1b6
commit 61922581e7
1 changed files with 132 additions and 13 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -12093,19 +12093,6 @@
      "uuid": "79d0da59-9400-40f6-b72b-6c6f47354d59",
      "value": "Scarred Manticore"
    },
-    {
-      "description": "The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)",
-      "meta": {
-        "refs": [
-          "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
-          "https://www.cybersecurity-insiders.com/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices/?utm_source=rss&utm_medium=rss&utm_campaign=rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices",
-          "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/",
-          "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/"
-        ]
-      },
-      "uuid": "b01f7ed8-db75-45c7-ac7b-60aa4a1f7f4b",
-      "value": "Keksec"
-    },
    {
      "description": "The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)",
      "meta": {
@ -12237,6 +12224,138 @@
      },
      "uuid": "2ceeab57-85e3-468b-a1b8-c035c496dcdc",
      "value": "Lancefly"
+    },
+    {
+      "description": "LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.",
+      "meta": {
+        "refs": [
+          "https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/"
+        ]
+      },
+      "uuid": "a47b0f97-30fe-451d-9983-3bdc1e4608ab",
+      "value": "LofyGang"
+    },
+    {
+      "description": "The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.",
+      "meta": {
+        "aliases": [
+          "Oro0lxy",
+          "DarkShadow"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796",
+          "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/",
+          "https://twitter.com/MsftSecIntel/status/1711871732644970856"
+        ]
+      },
+      "uuid": "d1fe4546-616a-409c-8d2c-f7a7e0a183f8",
+      "value": "Storm-0062"
+    },
+    {
+      "description": "ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.",
+      "meta": {
+        "refs": [
+          "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/"
+        ]
+      },
+      "uuid": "f3fd4397-19e4-47e0-b1bc-f792690e3bd0",
+      "value": "SparklingGoblin"
+    },
+    {
+      "description": "The Kasablanka group is a cyber-criminal organization that has\nspecifically targeted Russia between September and December 2022,\nusing various payloads delivered through phishing emails containing\nsocially engineered lnk files, zip packages, and executables attached to\nvirtual disk image files.",
+      "meta": {
+        "country": "MA",
+        "refs": [
+          "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/",
+          "https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/",
+          "https://blog.talosintelligence.com/get-a-loda-this/"
+        ]
+      },
+      "uuid": "6db3ad41-6b47-43c8-b94b-98853749ee02",
+      "value": "Kasablanka"
+    },
+    {
+      "description": "YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.",
+      "meta": {
+        "country": "KZ",
+        "refs": [
+          "https://blog.talosintelligence.com/attributing-yorotrooper/",
+          "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/"
+        ]
+      },
+      "uuid": "2031ae01-e962-4861-a224-0934af6cdd3a",
+      "value": "YoroTrooper"
+    },
+    {
+      "description": "Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.",
+      "meta": {
+        "refs": [
+          "https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/",
+          "https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/"
+        ]
+      },
+      "uuid": "5d22315b-55ef-4d8a-86aa-00ba38057641",
+      "value": "Metador"
+    },
+    {
+      "description": "SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.",
+      "meta": {
+        "refs": [
+          "https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack",
+          "https://socradar.io/threat-actor-profile-siegedsec/",
+          "https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/",
+          "https://therecord.media/fort-worth-officials-say-leaked-data-was-public",
+          "https://webz.io/dwp/exclusive-hacktivists-attack-anti-abortion-u-s-states/",
+          "https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/"
+        ]
+      },
+      "uuid": "3c2f534a-a898-4af6-b3e8-f2740c473de0",
+      "value": "SiegedSec"
+    },
+    {
+      "description": "Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.",
+      "meta": {
+        "aliases": [
+          "Ransomed.vc"
+        ],
+        "refs": [
+          "https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach",
+          "https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/",
+          "https://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/",
+          "https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/",
+          "https://www.videogameschronicle.com/news/a-ransomware-group-claims-to-have-beached-all-sony-systems/",
+          "https://securityaffairs.com/151550/data-breach/ransomed-vc-sony-ntt-alleged-attacks.html",
+          "https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/",
+          "https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses"
+        ]
+      },
+      "uuid": "f939b51d-32f9-41d9-8549-f00b2db104c7",
+      "value": "RansomVC"
+    },
+    {
+      "description": "Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.",
+      "meta": {
+        "refs": [
+          "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia",
+          "https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack",
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse"
+        ]
+      },
+      "uuid": "ce793b99-0cf2-4148-831c-ea5f6a9e0a76",
+      "value": "Carderbee"
+    },
+    {
+      "description": "A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/",
+          "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping"
+        ]
+      },
+      "uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005",
+      "value": "UNC3890"
    }
  ],
  "version": 289