Merge pull request #118 from Delta-Sierra/master

add MuddyWater + Update HIDDEN COBRA and update its tools
2017-11-17 18:30:15 +01:00 · 2017-11-17 18:30:15 +01:00 · abaefccab5
parent b7bba69ca3 e2dbd5a9a3
commit abaefccab5
3 changed files with 34 additions and 4 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -7,7 +7,7 @@
  ],
  "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
  "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
-  "version": 4,
+  "version": 5,
  "values": [
    {
      "meta": {
@ -2138,6 +2138,15 @@
          "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928"
        ]
      }
+    },
+    {
+      "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.",
+      "value": "FALLCHILL",
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/alerts/TA17-318A"
+        ]
+      }
    }
  ]
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -1093,7 +1093,10 @@
          "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
          "https://www.us-cert.gov/ncas/alerts/TA17-164A",
          "https://securelist.com/lazarus-under-the-hood/77908/",
-          "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf"
+          "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
+          "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
+          "https://www.us-cert.gov/ncas/alerts/TA17-318A",
+          "https://www.us-cert.gov/ncas/alerts/TA17-318B"
        ]
      },
      "value": "Lazarus Group",
@ -2218,6 +2221,15 @@
      },
      "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ",
      "value": "Sowbug"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+        ]
+      },
+      "description": "MuddyWater",
+      "value": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques."
    }
  ],
  "name": "Threat actor",
@ -2232,5 +2244,5 @@
  ],
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
  "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 28
+  "version": 29
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -10,7 +10,7 @@
  ],
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 35,
+  "version": 36,
  "values": [
    {
      "meta": {
@ -3029,6 +3029,15 @@
          "https://securelist.com/the-silence/83009/"
        ]
      }
+    },
+    {
+      "value": "Volgmer",
+      "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer",
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/alerts/TA17-318B"
+        ]
+      }
    }
  ]
 }