Adding TA413 and Evilnum

pull/579/head
Daniel Plohmann (jupiter) 2020-09-15 14:19:22 +02:00
parent ee968d7715
commit 7b00674c77
1 changed files with 26 additions and 1 deletions

View File

@ -8339,7 +8339,32 @@
],
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
"value": "GALLIUM"
},
{
"description": "Proofpoint researchers observed a phishing campaign impersonating the World Health Organizations (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
]
},
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
"value": "TA413"
},
{
"description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The groups targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
],
"synonyms": [
"DeathStalker"
]
},
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
"value": "Evilnum"
}
],
"version": 177
"version": 178
}