MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #960 from Mathieu4141/threat-actors/666b2554-9bea-42e8-9e11-299597de70b3 

[threat actors] Adding 8 new actors + 4 aliases
pull/955/head v2.4.190
Alexandre Dulaunoy 2024-04-18 14:16:39 +02:00 committed by GitHub
parent 94aa7e20a2 eed81e9a72
commit 8e8c3fa93d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 103 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
clusters/threat-actor.json
View File

@ -2829,6 +2829,7 @@
"https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine",
"https://cert.gov.ua/article/405538",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068",
"https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html",
"https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235",
"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
],
@ -8205,7 +8206,9 @@
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
"https://unit42.paloaltonetworks.com/atoms/mangataurus/",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html",
"https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html"
],
"synonyms": [
"CIRCUIT PANDA",
@ -8215,7 +8218,8 @@
"G0098",
"T-APT-03",
"Manga Taurus",
"Red Djinn"
"Red Djinn",
"Earth Hundun"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
@ -8700,7 +8704,8 @@
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf"
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"
],
"synonyms": [
"G0096",
@ -8718,7 +8723,8 @@
"Earth Baku",
"Amoeba",
"HOODOO",
"Brass Typhoon"
"Brass Typhoon",
"Earth Freybug"
]
},
"related": [
@ -12366,11 +12372,18 @@
"country": "CN",
"refs": [
"https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations",
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/",
"https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/",
"https://www.dragos.com/threat/voltzite/"
],
"synonyms": [
"BRONZE SILHOUETTE",
"VANGUARD PANDA"
"VANGUARD PANDA",
"UNC3236",
"Insidious Taurus",
"VOLTZITE",
"Dev-0391",
"Storm-0391"
]
},
"uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f",
@ -14836,11 +14849,13 @@
"https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/",
"https://paper.seebug.org/3031/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11",
"https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/"
"https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/",
"https://gbhackers.com/vedalia-apt-group-exploits/"
],
"synonyms": [
"OSMIUM",
"Konni"
"Konni",
"Vedalia"
]
},
"uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488",
@ -15549,6 +15564,86 @@
},
"uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
"value": "UNC5174"
},
{
"description": "CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.",
"meta": {
"refs": [
"https://socradar.io/acuity-federal-breach-okta-leak-dcrat-exploit/",
"https://socradar.io/u-s-faces-cyber-onslaught-fico-breach-id-cc-military-data-sale/",
"https://socradar.io/dark-web-profile-cyberniggers/"
]
},
"uuid": "21ad5aad-0a55-457d-b94d-3b4565e82e0a",
"value": "CyberNiggers"
},
{
"description": "Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.",
"meta": {
"country": "KE",
"refs": [
"https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/"
]
},
"uuid": "07232925-bd1b-49a9-adca-46536ff6fdd8",
"value": "Bignosa"
},
{
"description": "The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. \"Smishing Triad\" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.",
"meta": {
"country": "CN",
"refs": [
"https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"
]
},
"uuid": "85db04b5-1ec2-4e25-908a-f53576bd175a",
"value": "Smishing Triad"
},
{
"description": "Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.",
"meta": {
"country": "UA",
"refs": [
"https://www.enigmasoftware.com/fuxneticsmalware-removal/",
"https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/",
"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware",
"https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/"
]
},
"uuid": "a5aa9b72-2bfb-427c-97fc-6ec04357233b",
"value": "BlackJack"
},
{
"description": "CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.",
"meta": {
"country": "VN",
"refs": [
"https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/"
]
},
"uuid": "20927a3f-d011-4e22-8268-0938d6816a13",
"value": "CoralRaider"
},
{
"description": "RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.",
"meta": {
"country": "RO",
"refs": [
"https://sysdig.com/blog/rubycarp-romanian-botnet-group/"
]
},
"uuid": "2742b229-02f4-40d0-9b99-91844a2b030e",
"value": "RUBYCARP"
},
{
"description": "Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/starry-addax/"
]
},
"uuid": "579fde0d-0840-4e49-ad62-405ce338f5a6",
"value": "Starry Addax"
}
],
"version": 306