diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 36c6db6d..9b2cbe8f 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -139,7 +139,40 @@ }, "uuid": "1523a693-5d90-4da1-86d2-b5d22317820d", "value": "BazarBackdoor" + }, + { + "description": "Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", + "https://blog.malwarebytes.com/detections/backdoor-sunburst/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" + ], + "synonyms": [ + "Solarigate" + ] + }, + "related": [ + { + "dest-uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "value": "SUNBURST" } ], - "version": 10 + "version": 11 } diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 1927f894..7f38304e 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -297,7 +297,61 @@ }, "uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", "value": "HAFNIUM" + }, + { + "description": "Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + ] + }, + "related": [ + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "value": "NOBELIUM" } ], - "version": 10 + "version": 11 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c6a9be67..cbe8fb45 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8356,6 +8356,15 @@ "NOBELIUM" ] }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "value": "UNC2452" }, diff --git a/clusters/tool.json b/clusters/tool.json index eaf39613..d4600aaf 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8229,6 +8229,15 @@ "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" ] }, + "related": [ + { + "dest-uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped" + } + ], "uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", "value": "SUNSPOT" }, @@ -8292,7 +8301,118 @@ "related": [], "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", "value": "RDAT" + }, + { + "description": "Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "6c562458-7970-4d61-aded-1fe4a9002404", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "value": "TEARDROP" + }, + { + "description": "Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.\nGoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic. The C2 can send commands to be launched for various operations, including native OS commands, via psuedo-randomly generated cookies. The hardcoded cookies are unique to each implant, appearing to be random strings but mapping to victims and operations on the actor side.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718", + "value": "GoldMax" + }, + { + "description": "Loader used in hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "6c562458-7970-4d61-aded-1fe4a9002404", + "value": "Raindrop" + }, + { + "description": "Tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g., hxxps://185[.]225[.]69[.]69/) and logs the HTTP response to a plaintext log file (e.g., loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file:", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "235832b0-ee82-4ed9-8cbd-99cd3cc3596c", + "value": "GoldFinder" + }, + { + "description": "Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + ] + }, + "related": [ + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "1422b81c-a3c6-4229-8523-82d705400f46", + "value": "Sibot" } ], - "version": 144 + "version": 145 }