From 809860c945552e6a04221d407cf831e6173474cd Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 26 Apr 2021 11:44:01 +0200 Subject: [PATCH 1/3] version fix --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 57ed9e2..4da06fc 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24210,5 +24210,5 @@ "value": "DEcovid19" } ], - "version": 96 + "version": 97 } From 92bd2e3ee9749505a77aa35e9c8f4ac005172df7 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 26 Apr 2021 12:05:46 +0200 Subject: [PATCH 2/3] remove more duplicates --- clusters/ransomware.json | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4da06fc..d086adc 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -20862,11 +20862,6 @@ "uuid": "51f42a21-1963-40c5-b644-d4c1c5c3f9eb", "value": "Fluffy-TAR" }, - { - "description": "ransomware", - "uuid": "f5f8939e-b001-45e1-a54d-09183b988c8c", - "value": "Flyper" - }, { "description": "ransomware", "uuid": "10254366-b6d0-4266-a277-6ef4eee460b3", @@ -23209,11 +23204,6 @@ "uuid": "d650da35-7ad7-417a-902a-16ea55bd1126", "value": "XRat" }, - { - "description": "ransomware", - "uuid": "d2843c78-557d-4f95-a0bf-9ab3f1a4e49e", - "value": "XCry" - }, { "description": "ransomware", "uuid": "f5c46d3f-404b-4640-9892-005f845d33a2", @@ -24210,5 +24200,5 @@ "value": "DEcovid19" } ], - "version": 97 + "version": 98 } From 913aff30c33044d6292d73a69ee76afae7dfbb35 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 2 Jul 2021 13:18:03 +0200 Subject: [PATCH 3/3] Add NOBELIUM and related --- clusters/backdoor.json | 35 ++++++- clusters/microsoft-activity-group.json | 56 +++++++++++- clusters/threat-actor.json | 9 ++ clusters/tool.json | 122 ++++++++++++++++++++++++- 4 files changed, 219 insertions(+), 3 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 36c6db6..9b2cbe8 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -139,7 +139,40 @@ }, "uuid": "1523a693-5d90-4da1-86d2-b5d22317820d", "value": "BazarBackdoor" + }, + { + "description": "Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", + "https://blog.malwarebytes.com/detections/backdoor-sunburst/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" + ], + "synonyms": [ + "Solarigate" + ] + }, + "related": [ + { + "dest-uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "value": "SUNBURST" } ], - "version": 10 + "version": 11 } diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 1927f89..7f38304 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -297,7 +297,61 @@ }, "uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", "value": "HAFNIUM" + }, + { + "description": "Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + ] + }, + "related": [ + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "value": "NOBELIUM" } ], - "version": 10 + "version": 11 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c6a9be6..cbe8fb4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8356,6 +8356,15 @@ "NOBELIUM" ] }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "value": "UNC2452" }, diff --git a/clusters/tool.json b/clusters/tool.json index eaf3961..d4600aa 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8229,6 +8229,15 @@ "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" ] }, + "related": [ + { + "dest-uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped" + } + ], "uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", "value": "SUNSPOT" }, @@ -8292,7 +8301,118 @@ "related": [], "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", "value": "RDAT" + }, + { + "description": "Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "6c562458-7970-4d61-aded-1fe4a9002404", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "value": "TEARDROP" + }, + { + "description": "Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.\nGoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic. The C2 can send commands to be launched for various operations, including native OS commands, via psuedo-randomly generated cookies. The hardcoded cookies are unique to each implant, appearing to be random strings but mapping to victims and operations on the actor side.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718", + "value": "GoldMax" + }, + { + "description": "Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "6c562458-7970-4d61-aded-1fe4a9002404", + "value": "Raindrop" + }, + { + "description": "Tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g., hxxps://185[.]225[.]69[.]69/) and logs the HTTP response to a plaintext log file (e.g., loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file:", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "235832b0-ee82-4ed9-8cbd-99cd3cc3596c", + "value": "GoldFinder" + }, + { + "description": "Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "1422b81c-a3c6-4229-8523-82d705400f46", + "value": "Sibot" } ], - "version": 144 + "version": 145 }