From eb43d9faf248bc9af5e059725847d2a7500b618a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:25 -0800 Subject: [PATCH 01/10] [threat-actors] Add RedStinger --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 897b5c5..2ef6b65 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12356,6 +12356,20 @@ }, "uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005", "value": "UNC3890" + }, + { + "description": "In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.", + "meta": { + "aliases": [ + "Bad Magic" + ], + "refs": [ + "https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger", + "https://securelist.com/bad-magic-apt/109087/" + ] + }, + "uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4", + "value": "RedStinger" } ], "version": 289 From 84fec96df9613a3c684b9b50655054605239c51c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:25 -0800 Subject: [PATCH 02/10] [threat-actors] Add Witchetty --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2ef6b65..00bd751 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12370,6 +12370,22 @@ }, "uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4", "value": "RedStinger" + }, + { + "description": "Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.", + "meta": { + "aliases": [ + "LookingFrog" + ], + "country": "CN", + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", + "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/" + ] + }, + "uuid": "202f5481-7bae-4a0b-b117-0642ea1dbe65", + "value": "Witchetty" } ], "version": 289 From 971b17b79f20a4b2f7b60dc6a984344a2f9b22d0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:25 -0800 Subject: [PATCH 03/10] [threat-actors] Add NB65 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 00bd751..219d4cd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12386,6 +12386,23 @@ }, "uuid": "202f5481-7bae-4a0b-b117-0642ea1dbe65", "value": "Witchetty" + }, + { + "description": "Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.", + "meta": { + "aliases": [ + "Network Battalion 65" + ], + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/", + "https://www.rewterz.com/articles/russian-ukrainian-cyber-warfare-rewterz-threat-intelligence-rollup", + "https://www.hackread.com/anonymous-affiliate-nb65-russia-broadcaster-data-breach/" + ] + }, + "uuid": "e1941666-dcde-4f31-8a56-8041ac82bb99", + "value": "NB65" } ], "version": 289 From 5a4a697e8cc8608354b515b327a719c52bbdb7a4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:25 -0800 Subject: [PATCH 04/10] [threat-actors] Add IndigoZebra --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 219d4cd..3b0c82d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12403,6 +12403,19 @@ }, "uuid": "e1941666-dcde-4f31-8a56-8041ac82bb99", "value": "NB65" + }, + { + "description": "IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains including Meterpreter, Poison Ivy, xDown, and a previously unknown backdoor called “xCaon.”", + "meta": { + "country": "CN", + "refs": [ + "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs", + "https://securelist.com/apt-trends-report-q2-2017/79332/" + ] + }, + "uuid": "79e826b0-b051-4a61-b38c-496021b3afdb", + "value": "IndigoZebra" } ], "version": 289 From 152ab38b1080aa7e78f52a66d1e301590865340d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 05/10] [threat-actors] Add GhostSec --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3b0c82d..b55b01a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12416,6 +12416,20 @@ }, "uuid": "79e826b0-b051-4a61-b38c-496021b3afdb", "value": "IndigoZebra" + }, + { + "description": "GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.", + "meta": { + "aliases": [ + "Ghost Security" + ], + "refs": [ + "https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec", + "https://forescoutstage.wpengine.com/blog/the-increasing-threat-posed-by-hacktivist-attacks-an-analysis-of-targeted-organizations-devices-and-ttps/" + ] + }, + "uuid": "a1315451-326f-4185-8d71-80f9243f395f", + "value": "GhostSec" } ], "version": 289 From bfb03504a9368b7056b20079cea538b7c027255c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 06/10] [threat-actors] Add OilAlpha --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b55b01a..8aff309 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12430,6 +12430,17 @@ }, "uuid": "a1315451-326f-4185-8d71-80f9243f395f", "value": "GhostSec" + }, + { + "description": "OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.", + "meta": { + "refs": [ + "https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/", + "https://www.recordedfuture.com/oilalpha-likely-pro-houthi-group-targeting-arabian-peninsula" + ] + }, + "uuid": "ae2b897d-f285-4d03-9bab-0ff59d6657a7", + "value": "OilAlpha" } ], "version": 289 From ee354d9d75fcacdf4bd4d9caac2ad2f5ef4755b4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 07/10] [threat-actors] Add HiddenArt --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8aff309..e80a502 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12441,6 +12441,17 @@ }, "uuid": "ae2b897d-f285-4d03-9bab-0ff59d6657a7", "value": "OilAlpha" + }, + { + "description": "It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.", + "meta": { + "country": "RU", + "refs": [ + "https://www.enea.com/insights/the-hunt-for-hiddenart/" + ] + }, + "uuid": "cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da", + "value": "HiddenArt" } ], "version": 289 From 18811f8056c779fc153699fa1ddfaa2893ad33bb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 08/10] [threat-actors] Add REF5961 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e80a502..4ef2ac3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12452,6 +12452,17 @@ }, "uuid": "cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da", "value": "HiddenArt" + }, + { + "description": "Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.", + "meta": { + "refs": [ + "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set", + "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" + ] + }, + "uuid": "64234b2e-0c78-466d-8253-0df339f99f5f", + "value": "REF5961" } ], "version": 289 From 4a3968e87363181437deb5ab2a49e89b1cb76924 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 09/10] [threat-actors] Add REF2924 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ef2ac3..0fc7a86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12463,6 +12463,18 @@ }, "uuid": "64234b2e-0c78-466d-8253-0df339f99f5f", "value": "REF5961" + }, + { + "description": "A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.", + "meta": { + "country": "CN", + "refs": [ + "https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat", + "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" + ] + }, + "uuid": "c46ed7e9-3949-4c57-ab14-177d88f27e2c", + "value": "REF2924" } ], "version": 289 From 5828ba1a9dda5fd67010cea16581f2695b848770 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 6 Nov 2023 05:26:26 -0800 Subject: [PATCH 10/10] [threat-actors] Add Storm-1133 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0fc7a86..aa30c05 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12475,6 +12475,18 @@ }, "uuid": "c46ed7e9-3949-4c57-ab14-177d88f27e2c", "value": "REF2924" + }, + { + "description": "In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.", + "meta": { + "country": "PS", + "refs": [ + "https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023", + "https://therecord.media/hacktivists-take-sides-israel-palestinian" + ] + }, + "uuid": "d5908276-068a-4a4f-a60d-ab5800173ccd", + "value": "Storm-1133" } ], "version": 289