diff --git a/clusters/atrm.json b/clusters/atrm.json index f6c4224b..09218e44 100644 --- a/clusters/atrm.json +++ b/clusters/atrm.json @@ -11,7 +11,8 @@ "Ram Pliskin", "Nikhil Mittal", "MITRE ATT&CK", - "AlertIQ" + "AlertIQ", + "Craig Fretwell" ], "category": "atrm", "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.", @@ -491,7 +492,7 @@ "value": "AZT404.2 - Logic Application" }, { - "description": "By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.", + "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "meta": { "kill_chain": [ "ATRM-tactics:Privilege Escalation" @@ -1066,10 +1067,10 @@ "description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701" ] }, "uuid": "9ca7b25c-643a-5e55-a210-684f49fe82d8", @@ -1079,10 +1080,10 @@ "description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1" ] }, "uuid": "8805d880-8887-52b6-a113-8c0f4fec4230", @@ -1092,10 +1093,10 @@ "description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2" ] }, "uuid": "aae55a3a-8e32-5a62-8d41-837b2ebb1e69", @@ -1105,23 +1106,23 @@ "description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1" ] }, "uuid": "dc6f9ee0-55b2-5197-87a5-7474cfc04d72", "value": "AZT702 - File Share Mounting" }, { - "description": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an external tenant's storage account.", + "description": "", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1" ] }, "uuid": "ff4276bf-ab9e-5157-a171-5cdd4a3e6002", @@ -1131,10 +1132,10 @@ "description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704" ] }, "uuid": "47ded49d-ef4c-57d4-8050-f66f884c4388", @@ -1144,10 +1145,10 @@ "description": "An adversary may recover a key vault object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1" ] }, "uuid": "d8fc76f2-6776-5a09-bfb3-57852ae1d786", @@ -1157,10 +1158,10 @@ "description": "An adversary may recover a storage account object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2" ] }, "uuid": "cd9f0082-b2c7-53f8-95a6-a4fe746f973e", @@ -1170,15 +1171,28 @@ "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" ] }, "uuid": "d333405e-af82-555c-a68f-e723878b5f55", "value": "AZT704.3 - Recovery Services Vault" + }, + { + "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", + "meta": { + "kill_chain": [ + "ATRM-tactics:Impact" + ], + "refs": [ + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" + ] + }, + "uuid": "9d181c95-ccf7-5c94-8f4a-f6a2df62d760", + "value": "AZT705 - Azure Backup Delete" } ], - "version": 1 + "version": 2 } diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 8dcd6446..4e0ede8a 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -1840,5 +1840,5 @@ "value": "Zigzag Hail" } ], - "version": 20 + "version": 21 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 045fee2e..2d5a29a6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -372,7 +372,8 @@ "TUNGSTEN BRIDGE", "T-APT-02", "G0012", - "ATK52" + "ATK52", + "Zigzag Hail" ] }, "related": [ @@ -1034,7 +1035,8 @@ "https://unit42.paloaltonetworks.com/atoms/granite-taurus", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "synonyms": [ "STONE PANDAD", @@ -1048,7 +1050,8 @@ "BRONZE RIVERSIDE", "ATK41", "G0045", - "Granite Taurus" + "Granite Taurus", + "TA429" ] }, "related": [ @@ -1160,7 +1163,8 @@ "BRONZE IDLEWOOD", "NICKEL", "G0004", - "Red Vulture" + "Red Vulture", + "Nylon Typhoon" ], "targeted-sector": [ "Government, Administration" @@ -1931,7 +1935,8 @@ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.cfr.org/interactive/cyber-operations/apt-33", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" + "https://dragos.com/adversaries.html", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" ], "synonyms": [ "APT 33", @@ -1941,7 +1946,9 @@ "HOLMIUM", "COBALT TRINITY", "G0064", - "ATK35" + "ATK35", + "Peach Sandstorm", + "TA451" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, @@ -2407,7 +2414,8 @@ "APT-C-20", "UAC-0028", "FROZENLAKE", - "Sofacy" + "Sofacy", + "Forest Blizzard" ], "targeted-sector": [ "Military", @@ -2636,7 +2644,8 @@ "ITG12", "Blue Python", "SUMMIT", - "UNC4210" + "UNC4210", + "Secret Blizzard" ], "targeted-sector": [ "Government, Administration", @@ -2731,7 +2740,8 @@ "ATK6", "ITG15", "BROMINE", - "Blue Kraken" + "Blue Kraken", + "Ghost Blizzard" ], "targeted-sector": [ "Energy" @@ -2813,7 +2823,8 @@ "IRIDIUM", "Blue Echidna", "FROZENBARENTS", - "UAC-0113" + "UAC-0113", + "Seashell Blizzard" ], "targeted-sector": [ "Electric", @@ -2910,7 +2921,8 @@ "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" ], "synonyms": [ "CARBON SPIDER", @@ -2920,7 +2932,10 @@ "G0046", "G0008", "Coreid", - "Carbanak" + "Carbanak", + "Sangria Tempest", + "ELBRUS", + "Carbon Spider" ] }, "related": [ @@ -3082,11 +3097,13 @@ "value": "UNION SPIDER" }, { + "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.", "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ - "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [ "OperationTroy", @@ -3094,7 +3111,9 @@ "GOP", "WHOis Team", "Andariel", - "Subgroup: Andariel" + "Subgroup: Andariel", + "Onyx Sleet", + "PLUTONIUM" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", @@ -3196,7 +3215,10 @@ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://attack.mitre.org/groups/G0082", - "https://attack.mitre.org/groups/G0032" + "https://attack.mitre.org/groups/G0032", + "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "Operation DarkSeoul", @@ -3227,7 +3249,16 @@ "ATK3", "G0032", "ATK117", - "G0082" + "G0082", + "Citrine Sleet", + "DEV-0139", + "DEV-1222", + "Diamond Sleet", + "ZINC", + "Sapphire Sleet", + "COPERNICIUM", + "TA404", + "Lazarus group" ] }, "related": [ @@ -3872,7 +3903,8 @@ "White Giant", "GOLD FRANKLIN", "ATK88", - "G0037" + "G0037", + "Camouflage Tempest" ] }, "related": [ @@ -3981,7 +4013,8 @@ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" ], "synonyms": [ "Twisted Kitten", @@ -3993,7 +4026,10 @@ "IRN2", "ATK40", "G0049", - "Evasive Serpens" + "Evasive Serpens", + "Hazel Sandstorm", + "EUROPIUM", + "TA452" ], "targeted-sector": [ "Chemical", @@ -4561,7 +4597,9 @@ "Shuckworm", "Trident Ursa", "UAC-0010", - "Winterflounder" + "Winterflounder", + "Aqua Blizzard", + "Actinium" ] }, "related": [ @@ -4831,7 +4869,8 @@ "TIN WOODLAWN", "BISMUTH", "ATK17", - "G0050" + "G0050", + "Canvas Cyclone" ], "targeted-sector": [ "Dissidents", @@ -5178,13 +5217,16 @@ "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.mandiant.com/resources/insights/apt-groups", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" ], "synonyms": [ "KEYHOLE PANDA", "MANGANESE", "BRONZE FLEETWOOD", - "TEMP.Bottle" + "TEMP.Bottle", + "Mulberry Typhoon", + "Poisoned Flight" ], "targeted-sector": [ "Electronic", @@ -5559,7 +5601,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", - "https://asec.ahnlab.com/en/57873/" + "https://asec.ahnlab.com/en/57873/", + "https://asec.ahnlab.com/en/61082/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", + "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/" ], "synonyms": [ "Velvet Chollima", @@ -5567,7 +5612,9 @@ "Thallium", "Operation Stolen Pencil", "G0086", - "APT43" + "APT43", + "Emerald Sleet", + "THALLIUM" ], "targeted-sector": [ "Research - Innovation", @@ -6161,7 +6208,8 @@ "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://unit42.paloaltonetworks.com/atoms/boggyserpens/" + "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", + "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/" ], "synonyms": [ "TEMP.Zagros", @@ -6171,7 +6219,9 @@ "COBALT ULSTER", "G0069", "ATK51", - "Boggy Serpens" + "Boggy Serpens", + "Mango Sandstorm", + "TA450" ] }, "related": [ @@ -6384,7 +6434,8 @@ "Red Ladon", "ITG09", "MUDCARP", - "ISLANDDREAMS" + "ISLANDDREAMS", + "Gingham Typhoon" ] }, "related": [ @@ -6916,7 +6967,10 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6924,7 +6978,10 @@ "Red Lich", "TEMP.HEX", "BASIN", - "Earth Preta" + "Earth Preta", + "TA416", + "Stately Taurus", + "LuminousMoth" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", @@ -7371,7 +7428,8 @@ "G0092", "ATK103", "Hive0065", - "CHIMBORAZO" + "CHIMBORAZO", + "Spandex Tempest" ] }, "related": [ @@ -7453,12 +7511,21 @@ "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", - "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf" + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "TEMP.MixMaster", "GOLD BLACKBURN", - "FIN12" + "FIN12", + "Periwinkle Tempest", + "DEV-0193", + "Storm-0193", + "Trickbot LLC", + "UNC2053", + "Pistachio Tempest", + "DEV-0237" ] }, "related": [ @@ -7562,7 +7629,8 @@ "REMIX KITTEN", "COBALT HICKMAN", "G0087", - "Radio Serpens" + "Radio Serpens", + "TA454" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7880,12 +7948,15 @@ "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", - "https://community.riskiq.com/article/44eb0802" + "https://community.riskiq.com/article/44eb0802", + "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407" + "TA407", + "TA4900", + "Yellow Nabu" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7920,13 +7991,17 @@ "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", - "Red keres" + "Red keres", + "Violet Typhoon", + "TA412", + "Zirconium" ] }, "related": [ @@ -8375,7 +8450,9 @@ "value": "TA428" }, { + "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.", "meta": { + "country": "IR", "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", @@ -8387,7 +8464,8 @@ "COBALT LYCEUM", "HEXANE", "Spirlin", - "siamesekitten" + "siamesekitten", + "Storm-0133" ] }, "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", @@ -8646,18 +8724,23 @@ { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "meta": { + "country": "RU", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", - "http://www.secureworks.com/research/threat-profiles/gold-village" + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html" ], "synonyms": [ "Maze Team", "TWISTED SPIDER", - "GOLD VILLAGE" + "GOLD VILLAGE", + "Storm-0216", + "DEV-0216", + "Twisted Spider" ] }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", @@ -9055,15 +9138,18 @@ { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": { + "country": "CN", "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.youtube.com/watch?v=fBFm2fiEPTg", "https://troopers.de/troopers22/talks/7cv8pz/", - "https://unit42.paloaltonetworks.com/atoms/alloytaurus/" + "https://unit42.paloaltonetworks.com/atoms/alloytaurus/", + "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "synonyms": [ "Red Dev 4", - "Alloy Taurus" + "Alloy Taurus", + "Granite Typhoon" ] }, "related": [ @@ -9098,10 +9184,16 @@ "refs": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", - "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" + "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", + "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector" ], "synonyms": [ - "DeathStalker" + "DeathStalker", + "TA4563", + "EvilNum", + "Jointworm" ] }, "uuid": "b6f3150f-2240-4c57-9dda-5144c5077058", @@ -9125,7 +9217,9 @@ "synonyms": [ "PIONEER KITTEN", "PARISITE", - "UNC757" + "UNC757", + "Lemon Sandstorm", + "RUBIDIUM" ] }, "related": [ @@ -9363,7 +9457,8 @@ "ATK233", "G0125", "Operation Exchange Marauder", - "Red Dev 13" + "Red Dev 13", + "Silk Typhoon" ] }, "related": [ @@ -9423,7 +9518,9 @@ "synonyms": [ "UNC1151", "TA445", - "PUSHCHA" + "PUSHCHA", + "Storm-0257", + "DEV-0257" ] }, "related": [ @@ -10045,7 +10142,9 @@ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [ - "Moses Staff" + "Moses Staff", + "Marigold Sandstorm", + "DEV-0500" ] }, "related": [ @@ -10103,7 +10202,8 @@ "synonyms": [ "LAPSUS$", "DEV-0537", - "SLIPPY SPIDER" + "SLIPPY SPIDER", + "Strawberry Tempest" ] }, "related": [ @@ -10198,6 +10298,7 @@ { "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.", "meta": { + "country": "RU", "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://cert.gov.ua/article/38374", @@ -10206,7 +10307,8 @@ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "UNC2589", @@ -10214,7 +10316,10 @@ "UAC-0056", "Nascent Ursa", "Nodaria", - "FROZENVISTA" + "FROZENVISTA", + "Storm-0587", + "DEV-0587", + "Saint Bear" ] }, "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f", @@ -10415,7 +10520,11 @@ "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ - "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" + "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", + "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements" + ], + "synonyms": [ + "Plaid Rain" ] }, "related": [ @@ -10461,13 +10570,16 @@ "Ukraine" ], "cfr-type-of-incident": "Sabotage", + "country": "RU", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ - "Ruinous Ursa" + "Ruinous Ursa", + "Cadet Blizzard" ] }, "related": [ @@ -10583,7 +10695,8 @@ "BRONZE UNIVERSITY", "AQUATIC PANDA", "Red Dev 10", - "RedHotel" + "RedHotel", + "Charcoal Typhoon" ] }, "related": [ @@ -10719,11 +10832,17 @@ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://twitter.com/cglyer/status/1480734487000453121" + "https://twitter.com/cglyer/status/1480734487000453121", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [ "SLIME34", - "DEV-0401" + "DEV-0401", + "Cinnamon Tempest", + "Emperor Dragonfly" ] }, "related": [ @@ -10982,6 +11101,9 @@ "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "Wine Tempest" ] }, "related": [ @@ -12173,7 +12295,9 @@ "Scattered Swine", "Scatter Swine", "Octo Tempest", - "0ktapus" + "0ktapus", + "Storm-0971", + "DEV-0971" ] }, "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", @@ -13174,6 +13298,10 @@ "country": "IR", "refs": [ "https://twitter.com/CyberAmyHB/status/1532398956918890500" + ], + "synonyms": [ + "Smoke Sandstorm", + "BOHRIUM" ] }, "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", @@ -13490,7 +13618,8 @@ "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" ], "synonyms": [ - "DEV-0322" + "DEV-0322", + "Circle Typhoon" ] }, "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", @@ -14136,6 +14265,648 @@ }, "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566", "value": "Blackwood" + }, + { + "description": "Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.", + "meta": { + "country": "AT", + "refs": [ + "https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation", + "https://socradar.io/threats-of-commercialized-malware-knotweed/", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" + ], + "synonyms": [ + "KNOTWEED", + "DSIRF" + ] + }, + "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", + "value": "Denim Tsunami" + }, + { + "description": "Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.", + "meta": { + "country": "IL", + "refs": [ + "https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/", + "https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/" + ], + "synonyms": [ + "Black Cube" + ] + }, + "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", + "value": "Blue Tsunami" + }, + { + "description": "Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.", + "meta": { + "country": "IR", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" + ], + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", + "value": "Cuboid Sandstorm" + }, + { + "description": "Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.", + "meta": { + "country": "KP", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431" + ], + "synonyms": [ + "DEV-0215", + "LAWRENCIUM" + ] + }, + "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", + "value": "Pearl Sleet" + }, + { + "description": "Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.", + "meta": { + "country": "IL", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", + "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" + ], + "synonyms": [ + "DEV-0196", + "QuaDream" + ] + }, + "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", + "value": "Carmine Tsunami" + }, + { + "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "DEV-0206", + "Purple Vallhund" + ] + }, + "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", + "value": "Mustard Tempest" + }, + { + "description": "UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.", + "meta": { + "country": "IT", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware" + ] + }, + "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", + "value": "UNC4990" + }, + { + "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.", + "meta": { + "refs": [ + "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", + "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + ], + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", + "value": "Caramel Tsunami" + }, + { + "description": "Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.", + "meta": { + "country": "EG", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769" + ], + "synonyms": [ + "DEV-0867" + ] + }, + "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", + "value": "Storm-0867" + }, + { + "description": "Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "synonyms": [ + "DEV-0504" + ] + }, + "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", + "value": "Velvet Tempest" + }, + { + "description": "DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.", + "meta": { + "country": "RU", + "refs": [ + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html" + ], + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", + "value": "Sunglow Blizzard" + }, + { + "description": "Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation", + "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/" + ], + "synonyms": [ + "DEV-0832", + "Vice Society" + ] + }, + "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", + "value": "Vanilla Tempest" + }, + { + "description": "Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.", + "meta": { + "country": "CN", + "refs": [ + "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/", + "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down", + "https://twitter.com/MsftSecIntel/status/1535417776290111489" + ], + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", + "value": "Lilac Typhoon" + }, + { + "description": "Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.", + "meta": { + "country": "KP", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/" + ], + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", + "value": "Ruby Sleet" + }, + { + "description": "Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries", + "meta": { + "country": "CN", + "refs": [ + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW" + ], + "synonyms": [ + "RADIUM" + ] + }, + "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", + "value": "Raspberry Typhoon" + }, + { + "description": "Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1570911625841983489" + ], + "synonyms": [ + "DEV-0796" + ] + }, + "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", + "value": "Phlox Tempest" + }, + { + "description": "Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740", + "https://twitter.com/MsftSecIntel/status/1696273952870367320" + ], + "synonyms": [ + "DEV-1295" + ] + }, + "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", + "value": "Storm-1295" + }, + { + "description": "Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.", + "meta": { + "country": "ID", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/" + ], + "synonyms": [ + "DEV-1167" + ] + }, + "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", + "value": "Storm-1167" + }, + { + "description": "Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.", + "meta": { + "country": "KP", + "refs": [ + "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", + "https://paper.seebug.org/3031/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" + ], + "synonyms": [ + "OSMIUM", + "Konni" + ] + }, + "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", + "value": "Opal Sleet" + }, + { + "description": "Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1730383711437283757" + ], + "synonyms": [ + "DEV-1044" + ] + }, + "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", + "value": "Storm-1044" + }, + { + "description": "Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.", + "meta": { + "country": "IR", + "refs": [ + "https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/", + "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/", + "https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors", + "https://www.enigmasoftware.com/moneybirdransomware-removal/", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "synonyms": [ + "AMERICIUM", + "BlackShadow", + "DEV-0022", + "Agrius", + "Agonizing Serpens" + ] + }, + "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", + "value": "Pink Sandstorm" + }, + { + "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.", + "meta": { + "country": "IR", + "refs": [ + "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns", + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" + ], + "synonyms": [ + "DEV-1084" + ] + }, + "uuid": "2cc32087-f242-4091-8634-4554635b7a58", + "value": "Storm-1084" + }, + { + "description": "Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called \"Doppelganger\" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/" + ] + }, + "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", + "value": "Storm-1099" + }, + { + "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "375988ab-91b9-419e-8646-a4783b931288", + "value": "Storm-1286" + }, + { + "description": "DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/" + ], + "synonyms": [ + "DEV-1101" + ] + }, + "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", + "value": "Storm-1101" + }, + { + "description": "Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.", + "meta": { + "country": "RU", + "refs": [ + "https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023" + ], + "synonyms": [ + "DEV-0381" + ] + }, + "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", + "value": "Storm-0381" + }, + { + "description": "H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.", + "meta": { + "country": "KP", + "refs": [ + "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a", + "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", + "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" + ], + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", + "value": "Storm-0530" + }, + { + "description": "Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/", + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796" + ] + }, + "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", + "value": "Storm-0539" + }, + { + "description": "Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.", + "meta": { + "country": "VN", + "refs": [ + "https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/", + "https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/" + ] + }, + "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", + "value": "Storm-1152" + }, + { + "description": "Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", + "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", + "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", + "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" + ], + "synonyms": [ + "Akira" + ] + }, + "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", + "value": "Storm-1567" + }, + { + "description": "Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/nwgenransomware-removal/", + "https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/", + "https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721", + "https://twitter.com/cglyer/status/1546297609215696897" + ], + "synonyms": [ + "DEV-0829", + "Nwgen Team" + ] + }, + "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", + "value": "Storm-0829" + }, + { + "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" + ] + }, + "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", + "value": "Storm-1674" + }, + { + "description": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed.com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.", + "meta": { + "refs": [ + "https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/" + ] + }, + "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", + "value": "Storm-0835" + }, + { + "description": "Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.", + "meta": { + "refs": [ + "https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign", + "https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en" + ] + }, + "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", + "value": "Storm-1575" + }, + { + "description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" + ] + }, + "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", + "value": "TA2552" + }, + { + "description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread" + ], + "synonyms": [ + "Balikbayan Foxes" + ] + }, + "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", + "value": "TA2722" + }, + { + "description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" + ] + }, + "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", + "value": "TA2719" + }, + { + "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q2-2022/106995/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" + ], + "synonyms": [ + "Piwiks" + ] + }, + "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", + "value": "Karkadann" + }, + { + "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" + ] + }, + "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", + "value": "Tomiris" + }, + { + "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/ksb-2019-review-of-the-year/95394/", + "https://securelist.com/apt-trends-report-q3-2019/94530/", + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", + "value": "ShaggyPanther" + }, + { + "description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q1-2020/96826/", + "https://securelist.com/apt-trends-report-q1-2022/106351/" + ] + }, + "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "value": "Fishing Elephant" + }, + { + "description": "RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.", + "meta": { + "refs": [ + "https://securelist.com/revengehotels/95229/" + ] + }, + "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", + "value": "RevengeHotels" + }, + { + "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ] + }, + "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "value": "GhostEmperor" + }, + { + "description": "Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.", + "meta": { + "refs": [ + "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", + "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/", + "https://securelist.com/triangulation-validators-modules/110847/", + "https://securelist.com/operation-triangulation/109842/" + ] + }, + "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", + "value": "Operation Triangulation" + }, + { + "description": "Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.", + "meta": { + "refs": [ + "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/", + "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/" + ] + }, + "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", + "value": "Operation Ghoul" + }, + { + "description": "CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "97f40858-1582-4a59-a990-866813982830", + "value": "CardinalLizard" + }, + { + "description": "Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + ] + }, + "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf", + "value": "Ferocious Kitten" } ], "version": 299 diff --git a/galaxies/atrm.json b/galaxies/atrm.json index 6731d045..d56184ea 100644 --- a/galaxies/atrm.json +++ b/galaxies/atrm.json @@ -9,12 +9,12 @@ "Privilege Escalation", "Persistence", "Credential Access", - "Exfiltration" + "Impact" ] }, "name": "Azure Threat Research Matrix", "namespace": "atrm", "type": "atrm", "uuid": "b541a056-154c-41e7-8a56-41db3f871c00", - "version": 1 + "version": 2 }