From 55083776a0058ea07a450ee3c943d3c9b117c2a9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:05 -0800 Subject: [PATCH 01/12] [threat-actors] Add Domestic Kitten aliases --- clusters/threat-actor.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d5a29a..820c620 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7145,8 +7145,16 @@ { "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.", "meta": { + "country": "IR", "refs": [ - "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/" + "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", + "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", + "https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/", + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" + ], + "synonyms": [ + "Bouncing Golf", + "APT-C-50" ] }, "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee", From 859d3f7ac01d4612ca858d97140eb434f1693159 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 02/12] [threat-actors] Add Earth Berberoka aliases --- clusters/threat-actor.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 820c620..5416249 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10643,7 +10643,12 @@ "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt", "https://www.youtube.com/watch?v=QXGO4RJaUPQ", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/", + "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" + ], + "synonyms": [ + "GamblingPuppet" ] }, "uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0", From baaf153229b961270a29a1867eb0170b416164da Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 03/12] [threat-actors] Add Operation Red Signature --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5416249..c02a1e5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14920,6 +14920,18 @@ }, "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf", "value": "Ferocious Kitten" + }, + { + "description": "The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.", + "meta": { + "country": "CN", + "refs": [ + "https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network", + "https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html" + ] + }, + "uuid": "3e9b98d9-0c61-4050-bafa-486622de0080", + "value": "Operation Red Signature" } ], "version": 299 From cc4dca679b7fb0d34ee6c2114067b74ff80cc032 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 04/12] [threat-actors] Add Earth Yako --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c02a1e5..78ac9c3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14932,6 +14932,20 @@ }, "uuid": "3e9b98d9-0c61-4050-bafa-486622de0080", "value": "Operation Red Signature" + }, + { + "description": "Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html" + ], + "synonyms": [ + "Operation RestyLink", + "Enelink" + ] + }, + "uuid": "2875aff1-2a0f-4e82-ae42-607a3a74d129", + "value": "Earth Yako" } ], "version": 299 From 5194939603e3deec66128c3d62a86bad354c49e2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 05/12] [threat-actors] Add Tonto Team aliases --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 78ac9c3..5b50671 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5162,6 +5162,7 @@ "value": "Cyber Berkut" }, { + "description": "Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -5185,7 +5186,11 @@ "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html", + "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf", + "https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities" ], "synonyms": [ "CactusPete", @@ -5194,7 +5199,9 @@ "COPPER", "Red Beifang", "G0131", - "PLA Unit 65017" + "PLA Unit 65017", + "Earth Akhlut", + "TAG-74" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", From 9a2e09d86cda33c7ae58c76da61e59fd00917654 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 06/12] [threat-actors] Add Operation C-Major aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b50671..d27bfad 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3478,7 +3478,9 @@ "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" ], "synonyms": [ "C-Major", @@ -3489,7 +3491,8 @@ "APT 36", "TMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE" + "COPPER FIELDSTONE", + "Earth Karkaddan" ], "targeted-sector": [ "Activists", From f58c20fc20f92cfda8de9e43d8071d95a34c67a9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 07/12] [threat-actors] Add APT23 aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d27bfad..fd25b8f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1615,7 +1615,8 @@ "https://attack.mitre.org/groups/G0081/", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", "https://www.mandiant.com/resources/insights/apt-groups", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" ], "synonyms": [ "PIRATE PANDA", @@ -1623,7 +1624,8 @@ "Tropic Trooper", "BRONZE HOBART", "G0081", - "Red Orthrus" + "Red Orthrus", + "Earth Centaur" ], "targeted-sector": [ "Military", From c740c6f1e13f10ead606a42948e2d844317bb957 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:06 -0800 Subject: [PATCH 08/12] [threat-actors] Add Urpage --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd25b8f..fb3ecff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14958,6 +14958,16 @@ }, "uuid": "2875aff1-2a0f-4e82-ae42-607a3a74d129", "value": "Earth Yako" + }, + { + "description": "What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html" + ] + }, + "uuid": "4e137d53-b9cf-4b9a-88c2-f29dd27ac302", + "value": "Urpage" } ], "version": 299 From 6235ee49f7bdd46aa85062f134b7c2e90888c5de Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:07 -0800 Subject: [PATCH 09/12] [threat-actors] Add Operation Emmental --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fb3ecff..e0a145f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14968,6 +14968,21 @@ }, "uuid": "4e137d53-b9cf-4b9a-88c2-f29dd27ac302", "value": "Urpage" + }, + { + "description": "Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.", + "meta": { + "country": "RU", + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/" + ], + "synonyms": [ + "Retefe Gang", + "Retefe Group" + ] + }, + "uuid": "a1527821-fe84-44ec-ad29-8d3040463bc9", + "value": "Operation Emmental" } ], "version": 299 From 02bec6da4f5cbc47ea91b2b81f4b32b59079f78f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 6 Feb 2024 07:30:07 -0800 Subject: [PATCH 10/12] [threat-actors] Add TwoSail Junk aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e0a145f..a21b30c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13112,7 +13112,11 @@ "meta": { "refs": [ "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", - "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/" + "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/", + "https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links" + ], + "synonyms": [ + "Operation Poisoned News" ] }, "uuid": "533af03d-e160-4312-a92f-0500055f2b56", From d07c584525b6a6cb5a7222daee3b2cc90408fb51 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2024 10:21:40 +0100 Subject: [PATCH 11/12] chg: [surveillance-vendor] updated following https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors_-_TAG_report.pdf --- clusters/surveillance-vendor.json | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/clusters/surveillance-vendor.json b/clusters/surveillance-vendor.json index 6834234..b6e4f34 100644 --- a/clusters/surveillance-vendor.json +++ b/clusters/surveillance-vendor.json @@ -35,6 +35,13 @@ ], "refs": [ "https://en.wikipedia.org/wiki/NSO_Group" + ], + "synonyms": [ + "Q-Cyber", + "Circles" + ], + "products": [ + "PEGASUS" ] }, "uuid": "49d8e89f-401d-4d3d-9155-5758a346a4a1", @@ -193,6 +200,9 @@ "Balinese Ltd.", "Peterbald Ltd.", "Cytrox Holdings Zrt" + ], + "products": [ + "DevilsTongue" ] }, "uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d", @@ -205,6 +215,12 @@ "https://www.rcslab.it/en/index.html", "https://www.lookout.com/blog/hermit-spyware-discovery", "https://www.vice.com/en/article/nz75wd/european-surveillance-companies-agt-rcs-sell-syria-tools-of-oppression" + ], + "synonyms": [ + "RCS Lab" + ], + "products": [ + "Hermit" ] }, "uuid": "28ed79b6-a11d-4e41-af80-ece8f0e0c2d3", @@ -241,6 +257,13 @@ "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", "https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978", "https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/" + ], + "products": [ + "Nova", + "Triton", + "Helios", + "ALIEN", + "PREDATOR" ] }, "uuid": "1c909820-82eb-11ee-80c7-325096b39f47", @@ -369,6 +392,9 @@ "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf", "https://securityaffairs.com/125083/intelligence/nexa-technologies-indicted.html", "https://wearenexa.com/aboutus/" + ], + "synonyms": [ + "Nexa Technologies" ] }, "uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47", @@ -601,5 +627,5 @@ "value": "Raxir" } ], - "version": 4 + "version": 6 } From 94051bb5efddbf8e493456f733b863ed504c4d72 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2024 10:39:03 +0100 Subject: [PATCH 12/12] chg: [surveillance-vendor] updated --- clusters/surveillance-vendor.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/clusters/surveillance-vendor.json b/clusters/surveillance-vendor.json index b6e4f34..ff058e6 100644 --- a/clusters/surveillance-vendor.json +++ b/clusters/surveillance-vendor.json @@ -33,15 +33,15 @@ "official-refs": [ "https://www.nsogroup.com/" ], + "products": [ + "PEGASUS" + ], "refs": [ "https://en.wikipedia.org/wiki/NSO_Group" ], "synonyms": [ "Q-Cyber", "Circles" - ], - "products": [ - "PEGASUS" ] }, "uuid": "49d8e89f-401d-4d3d-9155-5758a346a4a1", @@ -191,6 +191,9 @@ { "description": "Cytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking a page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt, which was also formed in 2017.", "meta": { + "products": [ + "DevilsTongue" + ], "refs": [ "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/" ], @@ -200,9 +203,6 @@ "Balinese Ltd.", "Peterbald Ltd.", "Cytrox Holdings Zrt" - ], - "products": [ - "DevilsTongue" ] }, "uuid": "4dbfa61e-0cf5-4142-babf-3cdce348568d", @@ -211,6 +211,9 @@ { "description": "RCS Lab S.p.A., Italian vendor likely using Tykelab Srl as a front company.", "meta": { + "products": [ + "Hermit" + ], "refs": [ "https://www.rcslab.it/en/index.html", "https://www.lookout.com/blog/hermit-spyware-discovery", @@ -218,9 +221,6 @@ ], "synonyms": [ "RCS Lab" - ], - "products": [ - "Hermit" ] }, "uuid": "28ed79b6-a11d-4e41-af80-ece8f0e0c2d3", @@ -252,18 +252,18 @@ { "description": "The Intellexa alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices. The corporate entities of the alliance span various jurisdictions, both within and outside the EU. The exact nature of links between these companies is shrouded in secrecy as corporate entities, and the structures between them, are constantly morphing, renaming, rebranding, and evolving.", "meta": { - "refs": [ - "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf", - "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", - "https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978", - "https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/" - ], "products": [ "Nova", "Triton", "Helios", "ALIEN", "PREDATOR" + ], + "refs": [ + "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf", + "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", + "https://www.spiegel.de/international/business/the-predator-files-european-spyware-consortium-supplied-despots-and-dictators-a-2fd8043f-c5c1-4b05-b5a6-e8f8b9949978", + "https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/" ] }, "uuid": "1c909820-82eb-11ee-80c7-325096b39f47",