MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

update threat actor galaxy

pull/414/head
Deborah Servili 2019-06-11 15:54:39 +02:00
parent d6b458520b
commit 79f11de6db
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
1 changed files with 65 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
clusters/threat-actor.json
View File

@ -500,7 +500,11 @@
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17"
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/",
"https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/"
],
"synonyms": [
"APT 17",
@ -1139,7 +1143,9 @@
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/",
"https://www.cfr.org/interactive/cyber-operations/hellsing"
"https://www.cfr.org/interactive/cyber-operations/hellsing",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/",
"https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html"
],
"synonyms": [
"Goblin Panda",
@ -3457,7 +3463,8 @@
"attribution-confidence": "50",
"country": "RU",
"refs": [
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/",
"https://attack.mitre.org/groups/G0036/"
]
},
"related": [
@ -3980,7 +3987,10 @@
"description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
"https://attack.mitre.org/groups/G0047/"
]
},
"related": [
@ -5058,11 +5068,14 @@
"value": "Magnetic Spider"
},
{
"description": "Arbors ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the groups activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf"
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf",
"https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
"https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
]
},
"uuid": "73e4728a-955e-426a-b144-8cb95131f2ca",
@ -5917,7 +5930,14 @@
"description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
"https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/",
"https://attack.mitre.org/groups/G0078/"
],
"synonyms": [
"Gorgon Group",
"Subaat"
]
},
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
@ -6988,6 +7008,45 @@
]
},
"uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79"
},
{
"value": "GhostNet",
"description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lamas Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomats office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)",
"meta": {
"refs": [
"http://www.nartv.org/mirror/ghostnet.pdf",
"https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf",
"https://en.wikipedia.org/wiki/GhostNet"
],
"synonyms": [
"Snooping Dragon"
]
},
"uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d"
},
{
"value": "GozNym",
"description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.",
"meta": {
"refs": [
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
"https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/",
"https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/",
"https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation"
]
},
"uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0"
},
{
"value": "Group5",
"description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past",
"meta": {
"refs": [
"https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition",
"https://attack.mitre.org/groups/G0043/"
]
},
"uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af"
}
],
"version": 112