From 64904242014ca5d337f319e7a4a48a5b8cdbd6ac Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Mar 2024 10:23:42 -0700 Subject: [PATCH 1/4] [threat-actors] Add UNC5325 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ba92366..39c195c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15340,6 +15340,17 @@ }, "uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed", "value": "R00tK1T" + }, + { + "description": "UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" + ] + }, + "uuid": "ffb28c09-16a6-483a-817a-89c89751c9d4", + "value": "UNC5325" } ], "version": 304 From b2e9f6c1524da288d7d1aa5cbe47d3f8757cbe2c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Mar 2024 10:23:42 -0700 Subject: [PATCH 2/4] [threat-actors] Add Earth Kapre --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 39c195c..5cbfc37 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15351,6 +15351,20 @@ }, "uuid": "ffb28c09-16a6-483a-817a-89c89751c9d4", "value": "UNC5325" + }, + { + "description": "Earth Kapre is an APT group specializing in cyberespionage. They target organizations in various countries through phishing campaigns using malicious attachments to infect machines. Earth Kapre employs techniques like abusing PowerShell, curl, and Program Compatibility Assistant to execute malicious commands and evade detection within targeted networks. The group has been active since at least 2018 and has been linked to multiple incidents involving data theft and espionage.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" + ], + "synonyms": [ + "RedCurl", + "Red Wolf" + ] + }, + "uuid": "d4004926-bf12-4cfe-b141-563c8ffb304a", + "value": "Earth Kapre" } ], "version": 304 From bef50816a4b8a9a06d0b7a1731c6397db6a87df2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Mar 2024 10:23:42 -0700 Subject: [PATCH 3/4] [threat-actors] Add MuddyWater aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5cbfc37..26922b1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6285,7 +6285,8 @@ "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", - "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/" + "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/", + "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" ], "synonyms": [ "TEMP.Zagros", @@ -6297,7 +6298,8 @@ "ATK51", "Boggy Serpens", "Mango Sandstorm", - "TA450" + "TA450", + "Earth Vetala" ] }, "related": [ From 38d0804f9c4a4df1960b5aef4dc72fc87fdc96e0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 20 Mar 2024 10:23:42 -0700 Subject: [PATCH 4/4] [threat-actors] Add Earth Krahang --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 26922b1..9ccf9e3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15367,6 +15367,18 @@ }, "uuid": "d4004926-bf12-4cfe-b141-563c8ffb304a", "value": "Earth Kapre" + }, + { + "description": "Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.", + "meta": { + "country": "CN", + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs", + "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html" + ] + }, + "uuid": "8cfc9653-51bc-40f1-a267-78a1b8c763f6", + "value": "Earth Krahang" } ], "version": 304