From 871d90cfc2dcd198f65c37318cd37c126c7d0225 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 11 Nov 2019 13:34:54 +0100 Subject: [PATCH 1/8] chg: [threat-actor] Calypso group added Ref: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf MISP UUID: 5ca4718b-7f38-4822-83b7-0a1a0a00b412 --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 59040c9..ba947c4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7778,7 +7778,21 @@ }, "uuid": "75db4269-924b-4771-8f62-0de600a43634", "value": "Operation WizardOpium" + }, + { + "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", + "value": "Calypso group", + "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", + "meta": { + "refs": [ + "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" + ], + "synonyms": [ + "Calypso", + "Calypso APT" + ] + } } ], - "version": 139 + "version": 140 } From 1486890f8689dc2c982423f72b2ced56e55d0a82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 12 Nov 2019 10:25:00 +0100 Subject: [PATCH 2/8] fix: JQ all the things. --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ba947c4..30ce5af 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7781,8 +7781,6 @@ }, { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", - "value": "Calypso group", - "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", "meta": { "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" @@ -7791,7 +7789,9 @@ "Calypso", "Calypso APT" ] - } + }, + "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", + "value": "Calypso group" } ], "version": 140 From eea0f528fa159ffa55348f8dcf52d95525aa8f83 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 Nov 2019 12:51:44 +0100 Subject: [PATCH 3/8] chg: [threat-actor] Lucky Mouse synonym added Ref: https://www.bleepingcomputer.com/news/security/cyber-espionage-group-customizes-old-public-tools/ Ref: https://www.cybersecurity-insiders.com/apt-lucky-mouse-group-targets-canada-icao-via-cyber-attack/ --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 30ce5af..10ea810 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1060,7 +1060,8 @@ "APT27", "Operation Iron Tiger", "Iron Tiger APT", - "BRONZE UNION" + "BRONZE UNION", + "Lucky Mouse" ] }, "related": [ @@ -7794,5 +7795,5 @@ "value": "Calypso group" } ], - "version": 140 + "version": 141 } From aa132ca58f54baab09367753f4d1ddc446c67ac5 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 14 Nov 2019 14:57:05 +0100 Subject: [PATCH 4/8] new refs for APT33 --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10ea810..3086723 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1983,7 +1983,10 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", + "https://www.brighttalk.com/webcast/10703/275683", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [ "APT 33", @@ -7795,5 +7798,5 @@ "value": "Calypso group" } ], - "version": 141 + "version": 142 } From ac4099ed0e4c0e23146170f5b1f65e34d47fec9e Mon Sep 17 00:00:00 2001 From: rmkml Date: Mon, 18 Nov 2019 23:37:21 +0100 Subject: [PATCH 5/8] Add Desync Ransomware --- clusters/ransomware.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index edd6d72..90273df 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13545,7 +13545,18 @@ }, "uuid": "5cea5548-1e3c-222a-3faf-022d461260b5", "value": "DoppelPaymer" + }, + { + "description": "This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.", + "meta": { + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html" + ] + }, + "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", + "value": "Desync" } ], - "version": 70 + "version": 71 } From cfc6e2802cf8760e1389e77d3f1452f3eda7fb8f Mon Sep 17 00:00:00 2001 From: rmkml Date: Tue, 19 Nov 2019 23:15:02 +0100 Subject: [PATCH 6/8] Add Maze Ransomware --- clusters/ransomware.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 90273df..9ad0e0e 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13556,7 +13556,20 @@ }, "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", "value": "Desync" + }, + { + "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.", + "meta": { + "encryption": "ChaCha20 and RSA", + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" + ] + }, + "uuid": "7cea7746-1f2d-321a-3fbf-044d451350b6", + "value": "Maze" } ], - "version": 71 + "version": 72 } From 9410326ea2707086f1d6c57cefc163a2b93edfb3 Mon Sep 17 00:00:00 2001 From: rmkml Date: Thu, 21 Nov 2019 00:55:55 +0100 Subject: [PATCH 7/8] Revert "Add Maze Ransomware" This reverts commit cfc6e2802cf8760e1389e77d3f1452f3eda7fb8f. --- clusters/ransomware.json | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 9ad0e0e..90273df 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13556,20 +13556,7 @@ }, "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", "value": "Desync" - }, - { - "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.", - "meta": { - "encryption": "ChaCha20 and RSA", - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", - "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" - ] - }, - "uuid": "7cea7746-1f2d-321a-3fbf-044d451350b6", - "value": "Maze" } ], - "version": 72 + "version": 71 } From 90bc6679888857a5088fbd21a6bc5c6083ad1f9a Mon Sep 17 00:00:00 2001 From: rmkml Date: Thu, 21 Nov 2019 00:57:50 +0100 Subject: [PATCH 8/8] Add Maze Ransomware --- clusters/ransomware.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 90273df..ca6023b 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13556,7 +13556,20 @@ }, "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", "value": "Desync" + }, + { + "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.", + "meta": { + "encryption": "ChaCha20 and RSA", + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" + ] + }, + "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "value": "Maze" } ], - "version": 71 + "version": 72 }