MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-galaxy

pull/861/head
Delta-Sierra 2023-08-24 09:13:58 +02:00
parent 090b501c4c 2d709eaad1
commit 639686be75
3 changed files with 3767 additions and 2370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6052
clusters/sigma-rules.json
View File

File diff suppressed because it is too large Load Diff

61
clusters/threat-actor.json
View File

@ -172,7 +172,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
"https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html"
]
},
"uuid": "7195b51f-500e-4034-a851-bf34a2728dc8",
@ -194,7 +194,7 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf"
"https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html"
]
},
"uuid": "432b0304-768f-4fb9-9762-e745ef524ec7",
@ -613,7 +613,7 @@
"https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/",
"https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
"https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group",
"https://attack.mitre.org/groups/G0009/",
"https://www.secureworks.com/research/threat-profiles/bronze-firestone",
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
@ -880,7 +880,7 @@
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf",
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
"https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf",
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
"https://www.secureworks.com/research/bronze-union",
@ -1335,7 +1335,7 @@
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0066/"
],
"synonyms": [
@ -1884,7 +1884,7 @@
"attribution-confidence": "50",
"country": "IR",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140"
],
"synonyms": [
@ -2468,7 +2468,7 @@
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
"https://docs.broadcom.com/doc/waterbug-attack-group",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
@ -2561,7 +2561,7 @@
"country": "RU",
"refs": [
"https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet",
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
@ -2647,7 +2647,7 @@
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks",
"https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
@ -3121,7 +3121,7 @@
"attribution-confidence": "50",
"country": "IN",
"refs": [
"https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf",
"https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf",
"https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
"https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
"https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/",
@ -4485,7 +4485,7 @@
"meta": {
"country": "RU",
"refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe",
"https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
@ -5037,7 +5037,7 @@
{
"meta": {
"refs": [
"https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15",
@ -7249,7 +7249,7 @@
"refs": [
"https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/",
"https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
"https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf"
"https://web.archive.org/web/20180827024318/http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf"
],
"since": "2014",
"suspected-victims": [
@ -9475,7 +9475,7 @@
"refs": [
"https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers",
"https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group",
"https://www.contextis.com/en/blog/avivore"
"https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore"
]
},
"uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b",
@ -9980,7 +9980,8 @@
"https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools",
"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf"
],
"synonyms": [
"CHROMIUM",
@ -9989,7 +9990,8 @@
"FISHMONGER",
"BRONZE UNIVERSITY",
"AQUATIC PANDA",
"Red Dev 10"
"Red Dev 10",
"RedHotel"
]
},
"related": [
@ -10180,7 +10182,7 @@
"https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group",
"https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112"
"https://www.cisa.gov/news-events/analysis-reports/ar21-112a"
]
},
"uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c",
@ -11475,7 +11477,30 @@
},
"uuid": "77742419-aa71-4bc2-94c6-29c394b350e7",
"value": "Worok"
},
{
"description": "MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Belarus",
"cfr-suspected-victims": [
"Europe",
"Eastern Europe",
"South Asia",
"Northeast Africa"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "BY",
"refs": [
"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
]
},
"uuid": "01ac8b25-492e-444b-891b-968f2694e7b2",
"value": "MoustachedBouncer"
}
],
"version": 276
"version": 279
}

24
clusters/tool.json
View File

@ -10601,7 +10601,29 @@
],
"uuid": "7b002b6e-442c-4c0a-b173-873820c7c731",
"value": "VENOMBITE"
},
{
"description": "First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.",
"meta": {
"refs": [
"https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/",
"https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/",
"https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/",
"https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/",
"https://decoded.avast.io/janrubin/meh-2-2/",
"https://decoded.avast.io/janrubin/complex-obfuscation-meh/",
"https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign"
],
"synonyms": [
"Meh"
],
"type": [
"Loader"
]
},
"uuid": "978e5adc-e6e4-49a9-822f-0c130ac983a3",
"value": "DarkGate"
}
],
"version": 168
"version": 169
}