Merge pull request #890 from Mathieu4141/threat-actors/7ca42298-3f55-49c0-b88d-dc7b14733dbb

[threat-actors] Add 10 actors
2023-11-07 21:03:51 +01:00 · 2023-11-07 21:03:51 +01:00 · 89e39ddb3f
parent 4b4f1e895a f52382a29a
commit 89e39ddb3f
1 changed files with 123 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -12688,6 +12688,129 @@
      },
      "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e",
      "value": "TraderTraitor"
+    },
+    {
+      "description": "The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.",
+      "meta": {
+        "refs": [
+          "https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/",
+          "http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html",
+          "http://www.csoonline.com/article/3193397/security/no-netflix-is-not-a-victim-of-ransomware.html"
+        ]
+      },
+      "uuid": "167bd5f9-fa61-4a4e-91bc-3ca0d17294b2",
+      "value": "TheDarkOverlord"
+    },
+    {
+      "description": "UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations",
+          "https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/",
+          "https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/"
+        ],
+        "synonyms": [
+          "Hive0127"
+        ]
+      },
+      "uuid": "d7d270d2-b91f-4978-a9e9-76fa7f0d8f06",
+      "value": "UNC2565"
+    },
+    {
+      "description": "Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.",
+      "meta": {
+        "refs": [
+          "https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/",
+          "https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/",
+          "https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/",
+          "https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/",
+          "https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/",
+          "https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/",
+          "https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/",
+          "https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/",
+          "https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/",
+          "https://seclists.org/dataloss/2021/q4/81"
+        ]
+      },
+      "uuid": "e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27",
+      "value": "Desorden Group"
+    },
+    {
+      "description": "Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.",
+      "meta": {
+        "country": "IN",
+        "refs": [
+          "https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477",
+          "https://blog.nsfocus.net/aptconfuciuspakistanibo/"
+        ]
+      },
+      "uuid": "54618130-55d3-4506-b62b-67f2dca12b04",
+      "value": "Confucious"
+    },
+    {
+      "description": "CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.",
+      "meta": {
+        "refs": [
+          "https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/"
+        ]
+      },
+      "uuid": "1db6375f-0471-47c5-8128-5ab1519b01ab",
+      "value": "Kiss-a-Dog"
+    },
+    {
+      "description": "Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/"
+        ]
+      },
+      "uuid": "6616d2ac-2025-47f8-bb1a-1ece2b627c16",
+      "value": "DEV-1028"
+    },
+    {
+      "description": "TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
+          "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/"
+        ]
+      },
+      "uuid": "533af03d-e160-4312-a92f-0500055f2b56",
+      "value": "TwoSail Junk"
+    },
+    {
+      "description": "Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.",
+      "meta": {
+        "refs": [
+          "https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/"
+        ]
+      },
+      "uuid": "83764206-8012-47c6-9c7a-dc04c99559e7",
+      "value": "Xcatze"
+    },
+    {
+      "description": "Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.",
+      "meta": {
+        "refs": [
+          "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa"
+        ]
+      },
+      "uuid": "87f1ab70-a102-4566-a09e-838b39c18a62",
+      "value": "BlueBottle"
+    },
+    {
+      "description": "The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://asec.ahnlab.com/en/56941/",
+          "https://asec.ahnlab.com/en/56236/",
+          "https://asec.ahnlab.com/en/47455/",
+          "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"
+        ]
+      },
+      "uuid": "be4ea668-6a74-44d9-946e-e98e64a8855b",
+      "value": "Dalbit"
    }
  ],
  "version": 293