From 6da7b218fc516d5d01583a9631f158e618f08bfc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:07 -0800 Subject: [PATCH 01/10] [threat-actors] Add TheDarkOverlord --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2f88cb7..9f44df9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12688,6 +12688,18 @@ }, "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e", "value": "TraderTraitor" + }, + { + "description": "The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.", + "meta": { + "refs": [ + "https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/", + "http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html", + "http://www.csoonline.com/article/3193397/security/no-netflix-is-not-a-victim-of-ransomware.html" + ] + }, + "uuid": "167bd5f9-fa61-4a4e-91bc-3ca0d17294b2", + "value": "TheDarkOverlord" } ], "version": 293 From e1eec18aa3896743bc6cdf9ff6ab651bfd0101f5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:07 -0800 Subject: [PATCH 02/10] [threat-actors] Add UNC2565 --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9f44df9..a9b4333 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12700,6 +12700,21 @@ }, "uuid": "167bd5f9-fa61-4a4e-91bc-3ca0d17294b2", "value": "TheDarkOverlord" + }, + { + "description": "UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", + "https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/", + "https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/" + ], + "synonyms": [ + "Hive0127" + ] + }, + "uuid": "d7d270d2-b91f-4978-a9e9-76fa7f0d8f06", + "value": "UNC2565" } ], "version": 293 From 34e03e6b5680d640d6d65bf522e118fbd7a431b7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 03/10] [threat-actors] Add Desorden Group --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a9b4333..b45dae3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12715,6 +12715,25 @@ }, "uuid": "d7d270d2-b91f-4978-a9e9-76fa7f0d8f06", "value": "UNC2565" + }, + { + "description": "Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.", + "meta": { + "refs": [ + "https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/", + "https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/", + "https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/", + "https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/", + "https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/", + "https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/", + "https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/", + "https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/", + "https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/", + "https://seclists.org/dataloss/2021/q4/81" + ] + }, + "uuid": "e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27", + "value": "Desorden Group" } ], "version": 293 From c36ddd75dbc55a0504f75205cc33100ea8de4a47 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 04/10] [threat-actors] Add Confucious --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b45dae3..2d6d1db 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12734,6 +12734,18 @@ }, "uuid": "e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27", "value": "Desorden Group" + }, + { + "description": "Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.", + "meta": { + "country": "IN", + "refs": [ + "https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477", + "https://blog.nsfocus.net/aptconfuciuspakistanibo/" + ] + }, + "uuid": "54618130-55d3-4506-b62b-67f2dca12b04", + "value": "Confucious" } ], "version": 293 From 5069f865551a978f7805c1c94a12313e9ccb871e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 05/10] [threat-actors] Add Kiss-a-Dog --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d6d1db..5e7bf3e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12746,6 +12746,16 @@ }, "uuid": "54618130-55d3-4506-b62b-67f2dca12b04", "value": "Confucious" + }, + { + "description": "CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/" + ] + }, + "uuid": "1db6375f-0471-47c5-8128-5ab1519b01ab", + "value": "Kiss-a-Dog" } ], "version": 293 From c0dda66200adea957571476705cbec0a7e011a91 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 06/10] [threat-actors] Add DEV-1028 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5e7bf3e..f167c72 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12756,6 +12756,16 @@ }, "uuid": "1db6375f-0471-47c5-8128-5ab1519b01ab", "value": "Kiss-a-Dog" + }, + { + "description": "Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/" + ] + }, + "uuid": "6616d2ac-2025-47f8-bb1a-1ece2b627c16", + "value": "DEV-1028" } ], "version": 293 From 44617774b60b026238cf8fbb0c6317b5279316a5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 07/10] [threat-actors] Add TwoSail Junk --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f167c72..29a66e0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12766,6 +12766,17 @@ }, "uuid": "6616d2ac-2025-47f8-bb1a-1ece2b627c16", "value": "DEV-1028" + }, + { + "description": "TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.", + "meta": { + "refs": [ + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/" + ] + }, + "uuid": "533af03d-e160-4312-a92f-0500055f2b56", + "value": "TwoSail Junk" } ], "version": 293 From 59bd2763bc8341dc2b4b7fe39cd5c7d6b167c78d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 08/10] [threat-actors] Add Xcatze --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 29a66e0..4c06eec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12777,6 +12777,16 @@ }, "uuid": "533af03d-e160-4312-a92f-0500055f2b56", "value": "TwoSail Junk" + }, + { + "description": "Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.", + "meta": { + "refs": [ + "https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/" + ] + }, + "uuid": "83764206-8012-47c6-9c7a-dc04c99559e7", + "value": "Xcatze" } ], "version": 293 From 56f990d1005239a096bd4ad6b5c9952b89d363ed Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 09/10] [threat-actors] Add BlueBottle --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4c06eec..e1884a0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12787,6 +12787,16 @@ }, "uuid": "83764206-8012-47c6-9c7a-dc04c99559e7", "value": "Xcatze" + }, + { + "description": "Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.", + "meta": { + "refs": [ + "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa" + ] + }, + "uuid": "87f1ab70-a102-4566-a09e-838b39c18a62", + "value": "BlueBottle" } ], "version": 293 From f52382a29ab61228367348f72e77cba637ae7eee Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 7 Nov 2023 10:37:08 -0800 Subject: [PATCH 10/10] [threat-actors] Add Dalbit --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e1884a0..aef7928 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12797,6 +12797,20 @@ }, "uuid": "87f1ab70-a102-4566-a09e-838b39c18a62", "value": "BlueBottle" + }, + { + "description": "The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.", + "meta": { + "country": "CN", + "refs": [ + "https://asec.ahnlab.com/en/56941/", + "https://asec.ahnlab.com/en/56236/", + "https://asec.ahnlab.com/en/47455/", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" + ] + }, + "uuid": "be4ea668-6a74-44d9-946e-e98e64a8855b", + "value": "Dalbit" } ], "version": 293