From ea4d8a2d420ba2540fe340dff16ba1134843a39c Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 16 Jul 2019 10:03:07 +0200 Subject: [PATCH 1/2] add SWEED threat actor --- clusters/threat-actor.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9a34a93..49a93d4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7602,7 +7602,25 @@ }, "uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6", "value": "Zombie Spider" + }, + { + "value": "ViceLeaker", + "description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.", + "meta": { + "refs": [ + "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + ] + } + }, + { + "value": "SWEED", + "description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" + ] + } } ], - "version": 120 + "version": 122 } From 2861d2d78c7db2f1cf308a0142504202c113b651 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 16 Jul 2019 10:13:10 +0200 Subject: [PATCH 2/2] jq --- clusters/threat-actor.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 49a93d4..7d2cd7f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7604,22 +7604,24 @@ "value": "Zombie Spider" }, { - "value": "ViceLeaker", "description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.", "meta": { "refs": [ "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" ] - } + }, + "uuid": "f676fcd1-cde9-4d0a-8958-221f2abb56e9", + "value": "ViceLeaker" }, { - "value": "SWEED", "description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" ] - } + }, + "uuid": "64ac8827-89d9-4738-9df3-cd955c628bee", + "value": "SWEED" } ], "version": 122