From f7cb975c54e6a3d1bd303a8a1938490e4d53a219 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:35 -0700 Subject: [PATCH 1/5] [threat-actors] Add Chamelgang aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10baf5a6..de5e1c9b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12100,7 +12100,11 @@ "Energy" ], "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/", + "https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/" + ], + "synonyms": [ + "CamoFei" ] }, "related": [ From d8e7fbaa799f5754675fc65ca4aa7ad07d1d3166 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:35 -0700 Subject: [PATCH 2/5] [threat-actors] Add CloudSorcerer --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de5e1c9b..0f12c5ab 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16326,6 +16326,16 @@ }, "uuid": "99ad0cef-c53a-44d5-85d4-5459e59a06d5", "value": "Boolka" + }, + { + "description": "CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The malware leverages APIs and authentication tokens to access cloud resources for command and control, with GitHub serving as its initial C2 server. CloudSorcerer operates as separate modules depending on the process it's running in, executing from a single executable and utilizing complex inter-process communication through Windows pipes. The actor behind CloudSorcerer shows similarities to the CloudWizard APT in modus operandi, but the unique code and functionality suggest it is a new threat actor inspired by previous techniques.", + "meta": { + "refs": [ + "https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/" + ] + }, + "uuid": "895548a2-e5c7-4a76-8425-19aa077db200", + "value": "CloudSorcerer" } ], "version": 312 From 68d61732d104de3a8989312a37d201f28b3c0145 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:35 -0700 Subject: [PATCH 3/5] [threat-actors] Add Water Sigbin --- clusters/threat-actor.json | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0f12c5ab..c9993307 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16336,6 +16336,27 @@ }, "uuid": "895548a2-e5c7-4a76-8425-19aa077db200", "value": "CloudSorcerer" + }, + { + "description": "The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html", + "https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html", + "https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat", + "https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/", + "https://asec.ahnlab.com/en/51568/", + "https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html", + "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134", + "https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/" + ], + "synonyms": [ + "8220 Gang" + ] + }, + "uuid": "745fd45f-9076-4c88-a977-01940bc0d36e", + "value": "Water Sigbin" } ], "version": 312 From 9321234588f51ea9cb3d16238ff35b4864088b53 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:35 -0700 Subject: [PATCH 4/5] [threat-actors] Add Scattered Spider aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c9993307..74e11bc4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12556,7 +12556,8 @@ "Octo Tempest", "0ktapus", "Storm-0971", - "DEV-0971" + "DEV-0971", + "Starfraud" ] }, "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", From cf1e9e9bf5e4d48cdd72cba09ec8625178d052ca Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 8 Jul 2024 02:28:36 -0700 Subject: [PATCH 5/5] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4c990e9e..a090d235 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *705* elements +Category: *actor* - source: *MISP Project* - total: *707* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]