From 13c770f0a731bcb0ae0c499f5a3cfd05fd7322c5 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 01/11] [threat-actors] Add LofyGang --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 47dd4bc..41942fc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12237,6 +12237,16 @@ }, "uuid": "2ceeab57-85e3-468b-a1b8-c035c496dcdc", "value": "Lancefly" + }, + { + "description": "LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.", + "meta": { + "refs": [ + "https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/" + ] + }, + "uuid": "a47b0f97-30fe-451d-9983-3bdc1e4608ab", + "value": "LofyGang" } ], "version": 289 From 419c62cea140f6e5259f94dfe16c70ae97fad290 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 02/11] [threat-actors] Add Storm-0062 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 41942fc..9977998 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12247,6 +12247,23 @@ }, "uuid": "a47b0f97-30fe-451d-9983-3bdc1e4608ab", "value": "LofyGang" + }, + { + "description": "The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.", + "meta": { + "aliases": [ + "Oro0lxy", + "DarkShadow" + ], + "country": "CN", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796", + "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/", + "https://twitter.com/MsftSecIntel/status/1711871732644970856" + ] + }, + "uuid": "d1fe4546-616a-409c-8d2c-f7a7e0a183f8", + "value": "Storm-0062" } ], "version": 289 From 0f1777df92e9688c597a31a177b5415d942a7e19 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 03/11] [threat-actors] Add SparklingGoblin --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9977998..d894645 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12264,6 +12264,16 @@ }, "uuid": "d1fe4546-616a-409c-8d2c-f7a7e0a183f8", "value": "Storm-0062" + }, + { + "description": "ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" + ] + }, + "uuid": "f3fd4397-19e4-47e0-b1bc-f792690e3bd0", + "value": "SparklingGoblin" } ], "version": 289 From 58e8dfef71b226ad18f7c43c75dda13f0d54b4d0 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 04/11] [threat-actors] Add Kasablanka --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d894645..6b43dc2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12274,6 +12274,19 @@ }, "uuid": "f3fd4397-19e4-47e0-b1bc-f792690e3bd0", "value": "SparklingGoblin" + }, + { + "description": "The Kasablanka group is a cyber-criminal organization that has\nspecifically targeted Russia between September and December 2022,\nusing various payloads delivered through phishing emails containing\nsocially engineered lnk files, zip packages, and executables attached to\nvirtual disk image files.", + "meta": { + "country": "MA", + "refs": [ + "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", + "https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/", + "https://blog.talosintelligence.com/get-a-loda-this/" + ] + }, + "uuid": "6db3ad41-6b47-43c8-b94b-98853749ee02", + "value": "Kasablanka" } ], "version": 289 From 0133c023d20f8b33a8409ed08c57fc1ef066a67b Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 05/11] [threat-actors] Add YoroTrooper --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6b43dc2..31a073b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12287,6 +12287,18 @@ }, "uuid": "6db3ad41-6b47-43c8-b94b-98853749ee02", "value": "Kasablanka" + }, + { + "description": "YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.", + "meta": { + "country": "KZ", + "refs": [ + "https://blog.talosintelligence.com/attributing-yorotrooper/", + "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/" + ] + }, + "uuid": "2031ae01-e962-4861-a224-0934af6cdd3a", + "value": "YoroTrooper" } ], "version": 289 From 44d7b3e88f8a507b161cd0288171c135becf5516 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 06/11] [threat-actors] Add Metador --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31a073b..5808caa 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12299,6 +12299,17 @@ }, "uuid": "2031ae01-e962-4861-a224-0934af6cdd3a", "value": "YoroTrooper" + }, + { + "description": "Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.", + "meta": { + "refs": [ + "https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/", + "https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/" + ] + }, + "uuid": "5d22315b-55ef-4d8a-86aa-00ba38057641", + "value": "Metador" } ], "version": 289 From ea227222ea82293af413e3efecaf9a542604977a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 07/11] [threat-actors] Add SiegedSec --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5808caa..99cf3e7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12310,6 +12310,21 @@ }, "uuid": "5d22315b-55ef-4d8a-86aa-00ba38057641", "value": "Metador" + }, + { + "description": "SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.", + "meta": { + "refs": [ + "https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack", + "https://socradar.io/threat-actor-profile-siegedsec/", + "https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/", + "https://therecord.media/fort-worth-officials-say-leaked-data-was-public", + "https://webz.io/dwp/exclusive-hacktivists-attack-anti-abortion-u-s-states/", + "https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/" + ] + }, + "uuid": "3c2f534a-a898-4af6-b3e8-f2740c473de0", + "value": "SiegedSec" } ], "version": 289 From 1343cdb35abeb85e9dbbd87c6a1ab9d34eadae8e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 08/11] [threat-actors] Add RansomVC --- clusters/threat-actor.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 99cf3e7..10a40b1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12325,6 +12325,26 @@ }, "uuid": "3c2f534a-a898-4af6-b3e8-f2740c473de0", "value": "SiegedSec" + }, + { + "description": "Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.", + "meta": { + "aliases": [ + "Ransomed.vc" + ], + "refs": [ + "https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach", + "https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/", + "https://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/", + "https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/", + "https://www.videogameschronicle.com/news/a-ransomware-group-claims-to-have-beached-all-sony-systems/", + "https://securityaffairs.com/151550/data-breach/ransomed-vc-sony-ntt-alleged-attacks.html", + "https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/", + "https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses" + ] + }, + "uuid": "f939b51d-32f9-41d9-8549-f00b2db104c7", + "value": "RansomVC" } ], "version": 289 From 84fda6ef7256821e71ea93f47f816e38e66ee592 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 09/11] [threat-actors] Add Carderbee --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10a40b1..c351b8a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12345,6 +12345,18 @@ }, "uuid": "f939b51d-32f9-41d9-8549-f00b2db104c7", "value": "RansomVC" + }, + { + "description": "Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.", + "meta": { + "refs": [ + "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia", + "https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse" + ] + }, + "uuid": "ce793b99-0cf2-4148-831c-ea5f6a9e0a76", + "value": "Carderbee" } ], "version": 289 From a65bb60d90eb2e78200fdede8f7ee0c57802eb78 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 19:02:12 +0100 Subject: [PATCH 10/11] [threat-actors] Add UNC3890 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c351b8a..078b232 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12357,6 +12357,18 @@ }, "uuid": "ce793b99-0cf2-4148-831c-ea5f6a9e0a76", "value": "Carderbee" + }, + { + "description": "A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.", + "meta": { + "country": "IR", + "refs": [ + "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", + "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" + ] + }, + "uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005", + "value": "UNC3890" } ], "version": 289 From 025345e1b6e1dd68e0dc83b0f13756366227fd3d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 3 Nov 2023 20:08:32 +0100 Subject: [PATCH 11/11] [threat-actors] remove duplicate --- clusters/threat-actor.json | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 078b232..897b5c5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12093,19 +12093,6 @@ "uuid": "79d0da59-9400-40f6-b72b-6c6f47354d59", "value": "Scarred Manticore" }, - { - "description": "The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)", - "meta": { - "refs": [ - "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet", - "https://www.cybersecurity-insiders.com/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices/?utm_source=rss&utm_medium=rss&utm_campaign=rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices", - "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/", - "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/" - ] - }, - "uuid": "b01f7ed8-db75-45c7-ac7b-60aa4a1f7f4b", - "value": "Keksec" - }, { "description": "The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)", "meta": {