MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #818 from Mathieu4141/threat-actors/proofpoint-aliases 

[threat actors] Adding some actors from ProofPoint
pull/819/head
Alexandre Dulaunoy 2023-02-14 06:40:22 +01:00 committed by GitHub
parent df2dd16e77 9f09699047
commit 73bd7d0983
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 246 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

247
clusters/threat-actor.json
View File

@ -10005,7 +10005,252 @@
],
"uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
"value": "Malteiro"
},
{
"meta": {
"references": [
"https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
"https://vixra.org/abs/1902.0257",
"https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
"https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/"
],
"synonyms": [
"MAN1",
"TA511"
]
},
"related": [
{
"dest-uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
}
],
"uuid": "66a0a3ad-5b07-4876-baee-cf44000f7470",
"value": "Moskalvzapoe"
},
{
"description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.",
"meta": {
"country": "RU",
"references": [
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
"https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/",
"https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728",
"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
],
"synonyms": [
"DEV-0450"
]
},
"related": [
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
}
],
"uuid": "82a808ad-3f2f-43c0-bd15-848a6e27da95",
"value": "TA570"
},
{
"description": "TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.",
"meta": {
"references": [
"https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
"https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware",
"https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/",
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware"
]
},
"related": [
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
},
{
"dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
}
],
"uuid": "fbb04514-f71d-4a95-a1af-727d21ef12a2",
"value": "TA575"
},
{
"description": "TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.",
"meta": {
"country": "RU",
"references": [
"https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
"https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html",
"https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network",
"https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315"
],
"synonyms": [
"Hive0118"
]
},
"related": [
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "e405b7d0-3eed-4f9d-9b68-728e9793974c",
"value": "TA577"
},
{
"description": "TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.",
"meta": {
"country": "NG",
"references": [
"https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1"
]
},
"related": [
{
"dest-uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "8378b417-605e-4196-b31f-a0c96d75aa50",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "31615066-dbff-4134-b467-d97a337b408b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "9687a6a9-0a66-4373-b546-60553857a442",
"value": "TA2536"
}
],
"version": 258
"version": 259
}