Merge pull request #826 from jloehel/wasabi

[Proofpoint] [Campaign] Screentime
2023-03-09 06:37:13 +01:00 · 2023-03-09 06:37:13 +01:00 · 963a389216
parent 57f3e46273 9f9a263394
commit 963a389216
4 changed files with 131 additions and 4 deletions
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@ -196,7 +196,20 @@
      },
      "uuid": "7f95ebda-2c7b-49a4-ad57-bd5766a1f651",
      "value": "Album Stealer"
+    },
+    {
+      "description": "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.",
+      "meta": {
+        "refs": [
+          "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",
+          "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/",
+          "https://www.malware-traffic-analysis.net/2023/01/03/index.html",
+          "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/"
+        ]
+      },
+      "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+      "value": "Rhadamanthys"
    }
  ],
-  "version": 11
+  "version": 12
 }
--- a/clusters/tds.json
+++ b/clusters/tds.json
@ -132,7 +132,20 @@
      },
      "uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252",
      "value": "Orchid TDS"
+    },
+    {
+      "description": "Proofpoint has tracked the 404 TDS since at least September 2022. Proofpoint is not aware if this is a service sold on underground forums, but it is likely a shared or sold tool due to its involvement in a variety of phishing and malware campaigns.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ],
+        "type": [
+          "Underground"
+        ]
+      },
+      "uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+      "value": "404 TDS"
    }
  ],
-  "version": 4
+  "version": 5
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -10564,7 +10564,55 @@
      ],
      "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c",
      "value": "Prophet Spider"
+    },
+    {
+      "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.",
+      "meta": {
+        "motive": "mainly financially motivated, additional espionage objective.",
+        "references": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
+      "value": "TA866"
    }
  ],
-  "version": 261
+  "version": 262
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -8701,7 +8701,60 @@
      },
      "uuid": "55d5853c-393e-449b-ab2b-871e3fe45288",
      "value": "TgToxic"
+    },
+    {
+      "description": "According to Proofpoint, WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run. Proofpoint showed that it downloads and executes first a second MSI file containing Screenshotter.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+      "value": "WasabiSeed"
+    },
+    {
+      "description": "According to Proofpoint, this is a utility with a single function of taking a JPG screenshot of the user's desktop and submitting it to a remote C2 via a POST to a hardcoded IP address. This is helpful to the threat actor during the reconnaissance and victim profiling stage.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+      "value": "Screenshotter"
+    },
+    {
+      "description": "According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails",
+          "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware"
+        ]
+      },
+      "uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
+      "value": "SunSeed"
+    },
+    {
+      "description": "According to Proofpoint, the A(uto)H(ot)K(key) Bot is a collection of separate AutoHotKey scripts. The bot's main component is an infinite loop that polls and downloads additional AHK scripts. The bot can load a stealer like Rhadamanthys and can check if the machine is part of an Active Directory domain.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me",
+          "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/",
+          "https://www.trendmicro.com/en_us/research/19/d/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection.html",
+          "https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html"
+        ]
+      },
+      "uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+      "value": "AHK Bot"
    }
  ],
-  "version": 160
+  "version": 161
 }