MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #422 from Delta-Sierra/master 

add SWEED threat actor
pull/425/head
Alexandre Dulaunoy 2019-07-16 15:53:41 +02:00 committed by GitHub
parent 483f048f7f 2861d2d78c
commit 6dd258a5a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
clusters/threat-actor.json
View File

@ -7602,7 +7602,27 @@
},
"uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6",
"value": "Zombie Spider"
},
{
"description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.",
"meta": {
"refs": [
"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
]
},
"uuid": "f676fcd1-cde9-4d0a-8958-221f2abb56e9",
"value": "ViceLeaker"
},
{
"description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html"
]
},
"uuid": "64ac8827-89d9-4738-9df3-cd955c628bee",
"value": "SWEED"
}
],
"version": 120
"version": 122
}