From 2c586d2f9615ed7ef3b47b29528103511a013bd0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 1 Feb 2022 11:05:25 +0100 Subject: [PATCH 1/9] chg: [tools] updated for the new website --- tools/gen_adoc_galaxy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/gen_adoc_galaxy.sh b/tools/gen_adoc_galaxy.sh index 629e5901..4fcb119c 100755 --- a/tools/gen_adoc_galaxy.sh +++ b/tools/gen_adoc_galaxy.sh @@ -1,7 +1,7 @@ python3 adoc_galaxy.py >a.txt asciidoctor -a allow-uri-read a.txt asciidoctor-pdf -a allow-uri-read a.txt -cp a.html ../../misp-website/galaxy.html -cp a.pdf ../../misp-website/galaxy.pdf +cp a.html ../../misp-website/static/galaxy.html +cp a.pdf ../../misp-website/static/galaxy.pdf scp -l 81920 a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html scp -l 81920 a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf From 8f928d8eb38b506ffa170db5dae5398f55bc8008 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 2 Feb 2022 09:35:53 +0100 Subject: [PATCH 2/9] adding Gamaredon alias Shuckworm used by Symantec --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 892a58e7..5178c5db 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4200,7 +4200,8 @@ "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" ], "synonyms": [ - "Primitive Bear" + "Primitive Bear", + "Shuckworm" ] }, "related": [ From 833a6e0a8d72b3b6bf5a6b921c38fabefc0c0348 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 2 Feb 2022 09:40:10 +0100 Subject: [PATCH 3/9] updated URLs for Gamaredon with Shuckworm alias reference --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5178c5db..239a323d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4197,7 +4197,8 @@ "https://attack.mitre.org/groups/G0047/", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" ], "synonyms": [ "Primitive Bear", From fa9829cec06ce7bb55fa18e5aa452f685b3164d7 Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:50:19 +0100 Subject: [PATCH 4/9] Update ransomware.json: add BlackCat (ALPHV) --- clusters/ransomware.json | 202 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 200 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 539bf912..e040c719 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5291,7 +5291,7 @@ ], "refs": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", - "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", + "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-nues-the-trend-of-accepting-amazon-cards/", "https://twitter.com/malwarebread/status/804714048499621888" ], "synonyms": [ @@ -24225,6 +24225,204 @@ "uuid": "feb5fa26-bad4-46da-921d-986d2fd81a40", "value": "WhisperGate" } + { + "description": "BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.", + "meta": { + "date": "June 2021", + "encryption": [ + "AES", + "ChaCha20", + "Salsa" + ], + "ransomnotes-refs": [ + "https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png" + ], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat", + "https://1-id--ransomware-blogspot-com.translate.goog/2021/12/blackcat-ransomware.html?_x_tr_enc=1&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://github.com/f0wl/blackCatConf", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", + "https://www.varonis.com/blog/alphv-blackcat-ransomware", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://unit42.paloaltonetworks.com/blackcat-ransomware/" + ], + "synonyms": [ + "ALPHV" + ] + }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + "uuid": "e6c09b63-a424-4d9e-b7f7-b752cbbca02a", + "value": "BlackCat" + } ], - "version": 99 + "version": 100 } From 389add75803e20657799b76845c89f4a5afd4dc5 Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:54:31 +0100 Subject: [PATCH 5/9] Update ransomware.json with URL fix Fixed URL for AlphaLocker --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e040c719..b1dd1826 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5291,7 +5291,7 @@ ], "refs": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", - "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-nues-the-trend-of-accepting-amazon-cards/", + "https://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/", "https://twitter.com/malwarebread/status/804714048499621888" ], "synonyms": [ From 3d23f98d04634b592ff2d90613d63e30893caead Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:58:55 +0100 Subject: [PATCH 6/9] Forgot comma between JSON entries --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b1dd1826..12b958d0 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24224,7 +24224,7 @@ }, "uuid": "feb5fa26-bad4-46da-921d-986d2fd81a40", "value": "WhisperGate" - } + }, { "description": "BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.", "meta": { From 3328b73185f75ac37e1e0a91d2e1ba8b67b50e65 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Feb 2022 22:32:39 +0100 Subject: [PATCH 7/9] fix: [ransomware] array end missing --- clusters/ransomware.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 12b958d0..a882f007 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24420,6 +24420,7 @@ ], "type": "uses" } + ], "uuid": "e6c09b63-a424-4d9e-b7f7-b752cbbca02a", "value": "BlackCat" } From f49b54281b7645b703663a99613f6909ebc7a989 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Feb 2022 22:36:14 +0100 Subject: [PATCH 8/9] chg: [ransomware] set encryption only --- clusters/ransomware.json | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index a882f007..2c6a2817 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24229,11 +24229,7 @@ "description": "BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.", "meta": { "date": "June 2021", - "encryption": [ - "AES", - "ChaCha20", - "Salsa" - ], + "encryption": "AES", "ransomnotes-refs": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png" ], From 4700780d47623c8fbb67211be44267bc2e68ae2d Mon Sep 17 00:00:00 2001 From: rwe Date: Sat, 5 Feb 2022 04:52:33 -0800 Subject: [PATCH 9/9] added antlion APT group --- clusters/threat-actor.json | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 239a323d..a1f1d370 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8911,7 +8911,24 @@ }, "uuid": "676c1129-5664-4698-92ee-031f81baefce", "value": "AQUATIC PANDA" + }, + { + "description": "Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.", + "meta": { + "cfr-suspected-victims": [ + "Taiwan" + ], + "cfr-target-category": [ + "Financial" + ], + "country": "CN", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" + ] + }, + "uuid": "8482f350-867c-11ec-a8a3-0242ac120002", + "value": "Antlion" } ], - "version": 210 + "version": 211 }