mirror of https://github.com/MISP/misp-galaxy
Merge pull request #818 from Mathieu4141/threat-actors/proofpoint-aliases
[threat actors] Adding some actors from ProofPointpull/819/head
commit
73bd7d0983
|
@ -10005,7 +10005,252 @@
|
|||
],
|
||||
"uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
|
||||
"value": "Malteiro"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"references": [
|
||||
"https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
|
||||
"https://vixra.org/abs/1902.0257",
|
||||
"https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
|
||||
"https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/"
|
||||
],
|
||||
"synonyms": [
|
||||
"MAN1",
|
||||
"TA511"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "66a0a3ad-5b07-4876-baee-cf44000f7470",
|
||||
"value": "Moskalvzapoe"
|
||||
},
|
||||
{
|
||||
"description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.",
|
||||
"meta": {
|
||||
"country": "RU",
|
||||
"references": [
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
|
||||
"https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/",
|
||||
"https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728",
|
||||
"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
|
||||
],
|
||||
"synonyms": [
|
||||
"DEV-0450"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "82a808ad-3f2f-43c0-bd15-848a6e27da95",
|
||||
"value": "TA570"
|
||||
},
|
||||
{
|
||||
"description": "TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.",
|
||||
"meta": {
|
||||
"references": [
|
||||
"https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware",
|
||||
"https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/",
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"very-likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "fbb04514-f71d-4a95-a1af-727d21ef12a2",
|
||||
"value": "TA575"
|
||||
},
|
||||
{
|
||||
"description": "TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.",
|
||||
"meta": {
|
||||
"country": "RU",
|
||||
"references": [
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
|
||||
"https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html",
|
||||
"https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network",
|
||||
"https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315"
|
||||
],
|
||||
"synonyms": [
|
||||
"Hive0118"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "e405b7d0-3eed-4f9d-9b68-728e9793974c",
|
||||
"value": "TA577"
|
||||
},
|
||||
{
|
||||
"description": "TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.",
|
||||
"meta": {
|
||||
"country": "NG",
|
||||
"references": [
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8378b417-605e-4196-b31f-a0c96d75aa50",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "31615066-dbff-4134-b467-d97a337b408b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "9687a6a9-0a66-4373-b546-60553857a442",
|
||||
"value": "TA2536"
|
||||
}
|
||||
],
|
||||
"version": 258
|
||||
"version": 259
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue