MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

update threat actor galaxy

pull/416/head
Deborah Servili 2019-06-20 16:25:23 +02:00
parent 4bd37e2b2d
commit a984786c8b
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
1 changed files with 102 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
clusters/threat-actor.json
View File

@ -668,7 +668,8 @@
"https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
"https://securelist.com/winnti-more-than-just-a-game/37029/",
"https://401trg.com/burning-umbrella/",
"https://attack.mitre.org/groups/G0044/"
"https://attack.mitre.org/groups/G0044/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
],
"synonyms": [
"Winnti Group",
@ -6737,7 +6738,17 @@
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/The_Shadow_Brokers",
"https://securelist.com/darkpulsar/88199/"
"https://securelist.com/darkpulsar/88199/",
"https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html",
"https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files",
"https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023",
"https://securelist.com/darkpulsar/88199/",
"https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/",
"https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html",
"https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/",
"http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html",
"https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/",
"https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/"
],
"synonyms": [
"The ShadowBrokers",
@ -6774,7 +6785,7 @@
"value": "HookAds"
},
{
"description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.",
"description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
@ -6902,27 +6913,30 @@
"value": "TA505"
},
{
"description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.",
"description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.\nSimilar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuks appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.\nGrim Spider is reportedly associated with Lunar Spider and Wizard Spider.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
]
},
"uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f",
"value": "GRIM SPIDER"
},
{
"description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/"
]
},
"uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f",
"value": "WIZARD SPIDER"
},
{
"description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malwares capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.",
"description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malwares capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.\nMUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version.\nAfter a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a loader delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.\n MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@ -6930,7 +6944,8 @@
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service"
],
"synonyms": [
"TA542"
"TA542",
"Mummy Spider"
]
},
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
@ -7023,10 +7038,11 @@
"value": "Boss Spider"
},
{
"description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.",
"description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.\nCrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\n PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/"
]
},
"uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117",
@ -7113,10 +7129,12 @@
"value": "Tiny Spider"
},
{
"description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.",
"description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.\nOn March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors.\nLunar Spider is reportedly associated withGrim Spider and Wizard Spider.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/"
]
},
"uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62",
@ -7517,7 +7535,77 @@
},
"uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1",
"value": "Gnosticplayers"
},
{
"description": "The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.\nThe capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a devices webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments an allegation it has consistently denied.\nWhen the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data including the once-secret list of customers, internal communications, and spyware source code leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.\nFollowing the hack, the security community has been keeping a close eye on the companys efforts to get back on its feet. The first reports suggesting Hacking Teams resumed operations came six months later a new sample of Hacking Teams Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Teams shareholder structure, with Tablem Limited taking 20% of Hacking Teams shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/",
"https://en.wikipedia.org/wiki/Hacking_Team",
"https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked"
]
},
"uuid": "d7f0d2a8-9329-11e9-851e-dbfc1c517e4e",
"value": "Hacking Team"
},
{
"description": "OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services.\n(Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach.\nKnown for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.”\nThis is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.",
"meta": {
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine",
"https://gizmodo.com/welp-vevo-just-got-hacked-1813390834",
"https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/",
"https://en.wikipedia.org/wiki/OurMine"
]
},
"uuid": "2c9e1964-9357-11e9-ad8f-5f422851e912",
"value": "OurMine"
},
{
"description": "Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.",
"meta": {
"refs": [
"https://www.intezer.com/blog-technical-analysis-pacha-group/",
"https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/"
]
},
"uuid": "aa469d96-9357-11e9-bd7d-df125c7cba53",
"value": "Pacha Group"
},
{
"description": "This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.\nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html",
"https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/",
"https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/"
]
},
"uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2",
"value": "Rocke"
},
{
"description": "An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018.\nMost of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer.\n(WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named \"Vault 7\" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.\nThe first full part of the series, \"Year Zero\", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.\nRecently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized \"zero day\" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.\n\"Year Zero\" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of \"zero day\" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.",
"meta": {
"refs": [
"https://wikileaks.org/ciav7p1/",
"https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses"
]
},
"uuid": "9f133738-935f-11e9-aa5e-bbf8d91abb46",
"value": "[Vault 7/8]"
},
{
"description": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\nPINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0"
]
},
"uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6",
"value": "Zombie Spider"
}
],
"version": 118
"version": 119
}