Merge pull request #960 from Mathieu4141/threat-actors/666b2554-9bea-42e8-9e11-299597de70b3

[threat actors] Adding 8 new actors + 4 aliases
pull/955/head v2.4.190
Alexandre Dulaunoy 2024-04-18 14:16:39 +02:00 committed by GitHub
commit 8e8c3fa93d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 103 additions and 8 deletions

View File

@ -2829,6 +2829,7 @@
"https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine", "https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine",
"https://cert.gov.ua/article/405538", "https://cert.gov.ua/article/405538",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068", "https://cip.gov.ua/services/cm/api/attachment/download?id=60068",
"https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html",
"https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235", "https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235",
"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
], ],
@ -8205,7 +8206,9 @@
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
"https://unit42.paloaltonetworks.com/atoms/mangataurus/", "https://unit42.paloaltonetworks.com/atoms/mangataurus/",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html",
"https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html"
], ],
"synonyms": [ "synonyms": [
"CIRCUIT PANDA", "CIRCUIT PANDA",
@ -8215,7 +8218,8 @@
"G0098", "G0098",
"T-APT-03", "T-APT-03",
"Manga Taurus", "Manga Taurus",
"Red Djinn" "Red Djinn",
"Earth Hundun"
] ]
}, },
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
@ -8700,7 +8704,8 @@
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf" "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"
], ],
"synonyms": [ "synonyms": [
"G0096", "G0096",
@ -8718,7 +8723,8 @@
"Earth Baku", "Earth Baku",
"Amoeba", "Amoeba",
"HOODOO", "HOODOO",
"Brass Typhoon" "Brass Typhoon",
"Earth Freybug"
] ]
}, },
"related": [ "related": [
@ -12366,11 +12372,18 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations", "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations",
"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/",
"https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/",
"https://www.dragos.com/threat/voltzite/"
], ],
"synonyms": [ "synonyms": [
"BRONZE SILHOUETTE", "BRONZE SILHOUETTE",
"VANGUARD PANDA" "VANGUARD PANDA",
"UNC3236",
"Insidious Taurus",
"VOLTZITE",
"Dev-0391",
"Storm-0391"
] ]
}, },
"uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f", "uuid": "f02679fa-5e85-4050-8eb5-c2677d93306f",
@ -14836,11 +14849,13 @@
"https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/",
"https://paper.seebug.org/3031/", "https://paper.seebug.org/3031/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11",
"https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/",
"https://gbhackers.com/vedalia-apt-group-exploits/"
], ],
"synonyms": [ "synonyms": [
"OSMIUM", "OSMIUM",
"Konni" "Konni",
"Vedalia"
] ]
}, },
"uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488",
@ -15549,6 +15564,86 @@
}, },
"uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a", "uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
"value": "UNC5174" "value": "UNC5174"
},
{
"description": "CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.",
"meta": {
"refs": [
"https://socradar.io/acuity-federal-breach-okta-leak-dcrat-exploit/",
"https://socradar.io/u-s-faces-cyber-onslaught-fico-breach-id-cc-military-data-sale/",
"https://socradar.io/dark-web-profile-cyberniggers/"
]
},
"uuid": "21ad5aad-0a55-457d-b94d-3b4565e82e0a",
"value": "CyberNiggers"
},
{
"description": "Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.",
"meta": {
"country": "KE",
"refs": [
"https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/"
]
},
"uuid": "07232925-bd1b-49a9-adca-46536ff6fdd8",
"value": "Bignosa"
},
{
"description": "The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. \"Smishing Triad\" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.",
"meta": {
"country": "CN",
"refs": [
"https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"
]
},
"uuid": "85db04b5-1ec2-4e25-908a-f53576bd175a",
"value": "Smishing Triad"
},
{
"description": "Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.",
"meta": {
"country": "UA",
"refs": [
"https://www.enigmasoftware.com/fuxneticsmalware-removal/",
"https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/",
"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware",
"https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/"
]
},
"uuid": "a5aa9b72-2bfb-427c-97fc-6ec04357233b",
"value": "BlackJack"
},
{
"description": "CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.",
"meta": {
"country": "VN",
"refs": [
"https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/"
]
},
"uuid": "20927a3f-d011-4e22-8268-0938d6816a13",
"value": "CoralRaider"
},
{
"description": "RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.",
"meta": {
"country": "RO",
"refs": [
"https://sysdig.com/blog/rubycarp-romanian-botnet-group/"
]
},
"uuid": "2742b229-02f4-40d0-9b99-91844a2b030e",
"value": "RUBYCARP"
},
{
"description": "Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/starry-addax/"
]
},
"uuid": "579fde0d-0840-4e49-ad62-405ce338f5a6",
"value": "Starry Addax"
} }
], ],
"version": 306 "version": 306